pf's states
Victor Sudakov
vas at sibptus.ru
Tue Dec 3 07:05:58 UTC 2019
Morgan Wesström wrote:
>
> - Your initial telnet SYN will create state on $inside through rule 3.
> - There should be no state created on $dmz.
> - Your SYN+ACK reply and further replies will be passed by pf's default
> pass behaviour on $dmz.
OK, let's forget about TCP flags entirely. Let's consider a simple ICMP ping.
1. Here is the picture without the "block..." rule:
root at inside:~ # ping dmz.test
PING dmz.test (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=63 time=0.532 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=1.655 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=1.682 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=1.477 ms
64 bytes from 172.16.1.10: icmp_seq=4 ttl=63 time=1.626 ms
root at fw:~ # pfctl -s rules ; echo ; pfctl -s state
pass in on vtnet1 all flags S/SA keep state
pass in on vtnet2 all flags S/SA keep state
all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0
all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0
root at fw:~ #
2. Here is the picture with the "block..." rule uncommented:
root at inside:~ # ping dmz.test
PING dmz.test (172.16.1.10): 56 data bytes
(no reply)
root at fw:~ # pfctl -s rules ; echo ; pfctl -s state
pass in on vtnet1 all flags S/SA keep state
block drop in on vtnet1 inet from any to 192.168.0.0/16
pass in on vtnet2 all flags S/SA keep state
all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0
root at fw:~ #
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20191203/363f15cb/attachment.sig>
More information about the freebsd-pf
mailing list