keeping state on outgoing connections fails (?)

[Peter Wullinger]

I'll reply to Jeremy, since his answer somehow confused me. 

In epistula a Jeremy Chadwick, die horaque Wed Sep  3 17:26:32 2008:
> On Wed, Sep 03, 2008 at 01:09:43PM +0200, Guido van Rooij wrote:
> >
> > Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
> >
> > ep0: 1.2.3.4/24
> > bge0: 10.0.0.1/24
> >
> > ruleset (made as simple as possible):
> > pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
> > block drop out log quick on ep0 all
> > pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state

At little bit of guessing led me to the (possible, I have not tested
this) culprit: Is your state-policy set to "floating" or "if-bound"?

>From a casual look at the log entries and traffic snapshots you have sent, 
this seems to be pf working in "if-bound" mode. In this case, the
created state table entry matches incoming on bge0, but not on
outgoing on ep0 any more (packets pass through pf twice, as expected).

This still maybe a bug, but it's common to rule out all possible
culprits before spreading blame.

In epistula a Jeremy Chadwick, die horaque Wed Sep  3 17:26:32 2008:
> I'm a bit confused by these rules and your network configuration.
> Rule #1 allows any packet with a source address of 1.2.3.1, arriving on
> the ep0 interface, destined to 10.0.0.2.  How exactly are packets
> arriving on ep0 (which is bound to 1.2.3.0/24) with a destination of
> 10.0.0.2 in the first place?  That seems strange.  Is your gateway on
> your network blindly forwarding packets between networks or something?
> Or is this FreeBSD box acting *as* a gateway?
 
It seems to be a gateway, forwarding packets. What exactly do you find
strange?  Have I missed something?

Peter

-- 
Listening was an art, he had developed over the years. Because if you
listened long and hard enough, people would tell you more, they thought
they knew.  
	-- Terry Pratchett, Thief Of Time