Date: Tue, 3 Dec 2019 14:05:55 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <20191203070555.GA38510@admin.sibptus.ru> In-Reply-To: <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz> References: <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
--CE+1k2dSO48ffgeK Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Morgan Wesstr=F6m wrote: >=20 > - Your initial telnet SYN will create state on $inside through rule 3. > - There should be no state created on $dmz. > - Your SYN+ACK reply and further replies will be passed by pf's default= =20 > pass behaviour on $dmz. OK, let's forget about TCP flags entirely. Let's consider a simple ICMP pin= g. 1. Here is the picture without the "block..." rule: root@inside:~ # ping dmz.test PING dmz.test (172.16.1.10): 56 data bytes 64 bytes from 172.16.1.10: icmp_seq=3D0 ttl=3D63 time=3D0.532 ms 64 bytes from 172.16.1.10: icmp_seq=3D1 ttl=3D63 time=3D1.655 ms 64 bytes from 172.16.1.10: icmp_seq=3D2 ttl=3D63 time=3D1.682 ms 64 bytes from 172.16.1.10: icmp_seq=3D3 ttl=3D63 time=3D1.477 ms 64 bytes from 172.16.1.10: icmp_seq=3D4 ttl=3D63 time=3D1.626 ms root@fw:~ # pfctl -s rules ; echo ; pfctl -s state pass in on vtnet1 all flags S/SA keep state pass in on vtnet2 all flags S/SA keep state all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0 all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0 root@fw:~ # 2. Here is the picture with the "block..." rule uncommented: root@inside:~ # ping dmz.test PING dmz.test (172.16.1.10): 56 data bytes (no reply) root@fw:~ # pfctl -s rules ; echo ; pfctl -s state pass in on vtnet1 all flags S/SA keep state block drop in on vtnet1 inet from any to 192.168.0.0/16 pass in on vtnet2 all flags S/SA keep state all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0 root@fw:~ # --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd5glTAAoJEA2k8lmbXsY0X74H/3bufYFR6FbPbgY78XLPEk0h db5gS4HYwpdi/RTCBEqrBSgoPFfjpV+R//rfX1XSd3vEsiDU+SNEsWVm4j/cNZPU zj28nOirfSH6Hv5J6ELRakKBEj/RGLn/JPWLPoS7lUqX7WMpK5HV878IOLWtniOV YWDtOZQqESMm743kfc2jwQ7GqtGS7hC+o1mdGkhIebluCHIB1hyvaOllmGTgZ0zh TTz4GzZ4VSY+n6RUxW0G9TUqWVh/DAk5LsLXFxnh52ZzFNm6yH/sRHyIELgwiZdB nlWe8ru6xqmD/mE3dKmq7xaRbHnQd5WaXiWl/HgxI9KcZLPZlQcudBxM+JMMYAw= =BxR5 -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191203070555.GA38510>