Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Sep 2006 19:35:08 +0200
From:      Peter Schuller <peter.schuller@infidyne.com>
To:        Matthew Seaman <m.seaman@infracaninophile.co.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: pf + ipv6 + keep state - any known issues?
Message-ID:  <200609261935.09003.peter.schuller@infidyne.com>
In-Reply-To: <45164C0C.5010406@infracaninophile.co.uk>
References:  <200609240036.12322.peter.schuller@infidyne.com> <45164C0C.5010406@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Are you using antispoofing rules on your external interface?  If you've got
> something like this in your ruleset:
>
>    antispoof log quick for $ext_if
>
> Then it will expand into a series of rules containing the following when
> you load them:

Thank you for responding!

No, this is not the issue. I *am* performing antispoof on my physical 
interface, but not on the tunnel interface.

After some further investigation my current theory is that I have run into the 
trouble with pf and a packet traversing an interface twice.

Having a 'keep state' on the *incoming* direction results in a state entry 
according to pfctl. But no state entry for the 'keep state' in the outgoing 
direction.

The result being that while packets coming into port 22 are allowed and state 
set up, but the responding packets (to some random source port) are NOT 
allowed because the outgoing direction yielded no state entry.

I am not sure what the behavior is supposed to be with a packet traversing the 
same interface twice, except I have seen references to the effect of "don't 
be stupid, don't do that, get another NIC" (for the typical firewall/gateway 
case). Except in this case that does not apply, even if you agree with the 
sentiment to begin with.

Can anyone confirm or deny whether "double" traversal *IS* supposed to work 
without difficulties/special cases on current versions of pf/FreeBSD?

Thanks!

-- 
/ Peter Schuller, InfiDyne Technologies HB

PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller@infidyne.com>'
Key retrieval: Send an E-Mail to getpgpkey@scode.org
E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609261935.09003.peter.schuller>