pf log with keep state

Kajetan Staszkiewicz vegeta at tuxpowered.net
Sat Nov 8 14:52:47 UTC 2014 

Dnia piątek, 7 listopada 2014 o 20:11:23 Karol Kornatka napisał(a):

> I have preaty big network (arround 2000 hosts) having connection threw
> freebsd router.

No, don't throw your router. It might still work after you fix your pf rules.

> Router is working on Dell poweredge r320 and freebsd 10.
> As firewall obviously pf with arround 50000 pf state current entries and
> 200Mbitps traffic.
> I need to pass and log forwarded traffic
> For now i'm using ruleset like this:
> 
> pass in quick log ( all, to pflog2) on $ds02_int_if proto tcp from
> <clients-ds02> to any port $ds02_tcp_forward_services flags S/S keep state

Evey new connection (matching for S/SA flags is default thing when creating new 
rule, you can see that with `pfctl -sr`, so your "flags" option does not change 
much) from <clients-ds2> to $ds02_tcp_forward_services is matched by this rule 
and is not processed anymore due to quick keyword. This causes a state to be 
created so any further packets belonging to this connection never hit your 
rules at all and are accepted instead (checking packet if it belongs to 
existing state happens before matching it against rules). Every packet in such 
connection (matching the state) is logged due to log keyword.

> pass in quick on $ds02_int_if proto tcp from <clients-ds02> to any port
> $ds02_tcp_forward_services keep state

No packets reach this rule as they match the previous one or a state created by 
it.

I understand that you want to log only fact of connections being established. 
Then maybe the following thing would work:

pass in log ( all, to pflog2) \
    on $ds02_int_if proto tcp \
    from <clients-ds02> \
    to any port $ds02_tcp_forward_services \
    flags S/S no state

pass in quick ( all, to pflog2) \
    on $ds02_int_if proto tcp \
    from <clients-ds02> \
    to any port $ds02_tcp_forward_services \
    keep state

In this case the 1st rule matches incoming SYN packets, logs them, is not 
quick, so the 2nd rule has an opportunity to match them too, but it does not 
perform logging but creates the state instead. Any further packets are 
forwarded due to an existing state whose rule has no log option.

I'm not sure if it will work, just a fast idea.

-- 
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20141108/334aea21/attachment.sig>

More information about the freebsd-pf mailing list