pf's states

[Dave Cottlehuber]

TLDR add log to the rules, then start pflog,use wireshark or tcpdump on the pflog interface and you can see exactly which rule is applied to that packet.

On Tue, 3 Dec 2019, at 08:05, Victor Sudakov wrote:
> Morgan Wesström wrote:
> > 
> > - Your initial telnet SYN will create state on $inside through rule 3.
> > - There should be no state created on $dmz.
> > - Your SYN+ACK reply and further replies will be passed by pf's default 
> > pass behaviour on $dmz.
> 
> OK, let's forget about TCP flags entirely. Let's consider a simple ICMP ping.
> 
> 1. Here is the picture without the "block..." rule:
> 
> root at inside:~ # ping dmz.test
> PING dmz.test (172.16.1.10): 56 data bytes
> 64 bytes from 172.16.1.10: icmp_seq=0 ttl=63 time=0.532 ms
> 64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=1.655 ms
> 64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=1.682 ms
> 64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=1.477 ms
> 64 bytes from 172.16.1.10: icmp_seq=4 ttl=63 time=1.626 ms
> 
> root at fw:~ # pfctl -s rules ; echo ; pfctl -s state
> pass in on vtnet1 all flags S/SA keep state
> pass in on vtnet2 all flags S/SA keep state
> 
> all icmp 172.16.1.10:1283 <- 192.168.10.3:1283       0:0
> all icmp 192.168.10.3:1283 <- 172.16.1.10:1283       0:0
> root at fw:~ #
> 
> 2. Here is the picture with the "block..." rule uncommented:
> 
> root at inside:~ # ping dmz.test
> PING dmz.test (172.16.1.10): 56 data bytes
> (no reply)
> 
> root at fw:~ # pfctl -s rules ; echo ; pfctl -s state
> pass in on vtnet1 all flags S/SA keep state
> block drop in on vtnet1 inet from any to 192.168.0.0/16
> pass in on vtnet2 all flags S/SA keep state
> 
> all icmp 172.16.1.10:8707 <- 192.168.10.3:8707       0:0
> root at fw:~ #
> 
> 
> 
> 
> -- 
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
> 
> Attachments:
> * signature.asc

-- 
—
  Dave Cottlehuber
  +43 67 67 22 44 78
  Managing Director
  Skunkwerks, GmbH
  http://skunkwerks.at/
  ATU70126204
  Firmenbuch 410811i