Date: Wed, 16 May 2007 14:59:49 -0500 From: David DeSimone <fox@verio.net> To: freebsd-pf@freebsd.org Subject: Re: Packet Path Through PF (onec for each interface?) Message-ID: <20070516195948.GA22335@verio.net> In-Reply-To: <464B487C.1050301@tomjudge.com> References: <464B487C.1050301@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Judge <tom@tomjudge.com> wrote: > > I have a question about the number of times a packet passes through pf > on a router. The PF subsystem always examines every packet that passes in or out an interface. For a forwarded packet that means it will be examined twice. However, your question seems to be more in regards to whether the packet gets matched against the rulebase. That is sort of a subtly different question. > 172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24 > > Does a packet being routed from em0 to em1 pass through PF twice? > > Would the following example work to only pass ssh connections from > 172.31.0.0/24 into 172.31.1.0/41 > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > block in log inet from any to any > block out log inet from any to any Because of the "keep state" qualifier, PF will build a state entry, which allows matching packets to be passed, without examining the rulebase. So, PF does indeed examine every packet, once when it comes in an interface, again when the packet goes out the opposite interface, but because a state table entry matches the packet, it is allowed to pass without examining the rulebase beyond the first packet. So, packets are "passed through" PF, but the rulebase is "passed through" only once for packets matching the rule. > Or do I have to have the following rules for it to work? > > pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state > pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep state If you were to leave out the "keep state" qualifier, you would need rules matching the inbound and outbound packets. I think you would find, if you go ahead and tried the above, that the second rule never sees any matches, because the first rule handles them and builds state which causes the second rule to never be used. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGS2K0FSrKRjX5eCoRApIoAKCbbICHHJ3asueiJHH+ToARLW/kUQCeNveO HQDMENFXxk8GEsp/hoCWkdY= =WYco -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070516195948.GA22335>