Date: Wed, 4 Dec 2019 13:28:49 +0300 From: Max <maximos@als.nnov.ru> To: freebsd-pf@freebsd.org Subject: Re: pf's states Message-ID: <0c189ef5-61a3-209b-84a1-9982fde94073@als.nnov.ru> In-Reply-To: <20191202134047.GA14183@admin.sibptus.ru> References: <20191202025642.GA99174@admin.sibptus.ru> <90c1b342-b88a-a9bc-d475-4e6cd027f25c@als.nnov.ru> <20191202134047.GA14183@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
You should explicitly pass initial packet(s) through both interfaces. We have following rules: @0 pass in on $dmz @1 block in on $dmz from any to 192.168.0.0/16 @2 pass in on $inside 1. first packet arriving on $inside from 192.168.10.3 to 172.16.1.10 2. pf searching a state using a hash based on src and dst 192.168.10.3-172.16.1.10 3. there is no such state 4. maching against ruleset 5. using rule @2 6. creating a state with key 192.168.10.3-172.16.1.10 7. making routing decision 8. sending a packet through $dmz from 192.168.10.3 to 172.16.1.10 9. pf recieving outgoing packet, in this case reversing src and dst 10. searching a state using a key 172.16.1.10-192.168.10.3 11. there is no such state 12. using default pass, no state created 13. recieving reply on $dmz from 172.16.1.10 to 192.168.10.3 14. searching a state using a (straight) key 172.16.1.10-192.168.10.3 15. there is no such state 16. matching against ruleset 17. using rule @1 Hope I am correct. :) So, you can modify first rule: @0 pass on $dmz (no direction keyword) Now pf can create a state when sending initial packet from 192.168.10.3 to 172.16.1.10. Outgoing packet will generate a state with reversed key 172.16.1.10-192.168.10.3. Then reply packet(s) will match this state (traffic from 172.16.1.10 to 192.168.10.3). Or you can create "pass out on $dmz..." rule. 02.12.2019 16:40, Victor Sudakov пишет: > Max wrote: >> Is this a complete ruleset? > For this lab, yes, almost complete. There is only one more line, > "nat on $outside ...", but strickly speaking, "nat" is not a rule. > >> What about "pass out..." rules? > Why would I need them? In pf, it's "pass" by default. > >> You should >> check other rules since you have no "quick" in your listed rules. > 1. There are no other rules. > > 2. Even if there were, they should be irrelevant because the > "pass in on $inside" rule should create state, and states are processed > before rules. > >> The last matching rule decides what action is taken. > The last matching rule on the $inside interface is > "pass in on $inside". > > The last matching rule on the $outside interface is > "block in on $dmz from any to 192.168.0.0/16" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0c189ef5-61a3-209b-84a1-9982fde94073>