Date: Thu, 03 Apr 2008 09:18:40 -0300 From: Vinicius Vianna <ds@ongame.com.br> To: Erik Norgaard <norgaard@math.ku.dk> Cc: questions@freebsd.org Subject: Re: packet filter does not keep state Message-ID: <47F4CB20.3090903@ongame.com.br> In-Reply-To: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk> References: <alpine.LSU.1.00.0804021600290.1425@shannon.math.ku.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Erik,
Remember that any quick rule will apply on it and pf will not search
anymore, maybe you should clean up your pf.conf a little bit.
Maybe removing all quick rules you get what you want ;)
-----------------------------
block in log on $wlan_if inet from $wlan_net to <local_net>
pass in log quick on $wlan_if inet proto tcp from $wlan_net to \
<local_net> port $local_tcp flags S/SA keep state
pass in log quick on $wlan_if inet proto udp from $wlan_net to \
<local_net> port $local_udp keep state
pass in log quick on $wlan_if inet proto icmp from $wlan_net to \
<local_net> icmp-type $local_icmp keep state
# REMOVE THIS
# block in log quick on $wlan_if inet from $wlan_net to <local_net>
block out log on $srv_if
pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
pass out quick on $srv_if inet from $srv_ip to !<local_net> \
keep state
# REMOVE THIS
# here you are saying to pf block this connection, no matter all pass
rules above
# block out log quick on $srv_if
--------------------------------
Tell me if this helps you,
Regards,
Erik Norgaard wrote:
> Hi,
>
> I have a problem connecting from one local subnet to another crossing
> an FBSD box with pf. Should be trivial, I have the following ruleset:
>
> <snip>
> # Local services accessible from wlan
> block in log on $wlan_if inet from $wlan_net to <local_net>
> pass in log quick on $wlan_if inet proto tcp from $wlan_net to \
> <local_net> port $local_tcp flags S/SA keep state
> pass in log quick on $wlan_if inet proto udp from $wlan_net to \
> <local_net> port $local_udp keep state
> pass in log quick on $wlan_if inet proto icmp from $wlan_net to \
> <local_net> icmp-type $local_icmp keep state
> block in log quick on $wlan_if inet from $wlan_net to <local_net>
>
> block out log on $srv_if
> pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
> pass out quick on $srv_if inet from $srv_ip to !<local_net> \
> keep state
> block out log quick on $srv_if
> </snip>
>
> <local_net> is a table of the directly attached local networks, I try
> to connect from my wireless to a wired lan.
>
> But, tcpdump on pflog0 shows this:
>
> 000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 >
> 192.168.0.254.80: [|tcp]
> 000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 >
> 192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20]
>
> Evidently, the packet is matched by the correct pass in rule, yet no
> state is created and it is subsequently blocked by the block out rule.
>
> I can add a pass out rule to get through, but that shouldn't be the
> correct solution, why does pf not keep state?
>
> Thanks, Erik
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47F4CB20.3090903>