Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 Dec 2019 10:26:09 +0100
From:      =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf's states
Message-ID:  <aefb012b-970d-9c64-4f5d-31133b2b68ce@pp.dyndns.biz>
In-Reply-To: <20191203034903.GA33853@admin.sibptus.ru>
References:  <20191202025642.GA99174@admin.sibptus.ru> <7a5b77d9-29d2-4fb4-b82c-3e6a194baf6e@tuxpowered.net> <20191202152543.GA16128@admin.sibptus.ru> <c17233fd-e9df-81cc-e015-89f4d5715273@pp.dyndns.biz> <20191203034903.GA33853@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Do you mean to say that a state checks not only address:port pairs, but
> also TCP flags? This is a new notion for me. What would be a "pass" rule
> to create a "catch all" state with no regard for TCP flags?

For TCP it checks the flags when the state is created. From man pf.conf

      flags <a> /<b> | /<b> | any
            This rule only applies to TCP packets that have the flags 
<a> set
            out of set <b>.  Flags not specified in <b> are ignored.  For
            stateful connections, the default is flags S/SA.  To 
indicate that
            flags should not be checked at all, specify flags any.  The 
flags
            are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and 
C(W)R.

> 
>> Afaik a pass rule only creates state on the interface it
>> monitors.
> 
> I'm afraid this is an incorrect assumption.
> 
>> I did not recreate your setup to check this though. But this
>> is what should happen:
>>
>> With rule 2 remarked:
>>
>> - Your initial telnet SYN will create state on $inside through rule 3.
>> - There should be no state created on $dmz.
> 
> I'm afraid this is an incorrect assumption. According to man pf.conf, by
> default "state-policy=floating" and state is not bound to interfaces.
> The output of "pfctl -s state" does not indicate any interfaces either,
> just protocols, addresses and ports.
> 

This is weird. My state tables clearly shows the interface name first on 
the line instead of "all" but I use state-policy if-bound. I have no 
experience with floating mode, thus my assumptions earlier. I apologize 
if I was wrong.

/Morgan

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aefb012b-970d-9c64-4f5d-31133b2b68ce>