pf's states
Max
maximos at als.nnov.ru
Wed Dec 4 10:29:01 UTC 2019
You should explicitly pass initial packet(s) through both interfaces.
We have following rules:
@0 pass in on $dmz
@1 block in on $dmz from any to 192.168.0.0/16
@2 pass in on $inside
1. first packet arriving on $inside from 192.168.10.3 to 172.16.1.10
2. pf searching a state using a hash based on src and dst
192.168.10.3-172.16.1.10
3. there is no such state
4. maching against ruleset
5. using rule @2
6. creating a state with key 192.168.10.3-172.16.1.10
7. making routing decision
8. sending a packet through $dmz from 192.168.10.3 to 172.16.1.10
9. pf recieving outgoing packet, in this case reversing src and dst
10. searching a state using a key 172.16.1.10-192.168.10.3
11. there is no such state
12. using default pass, no state created
13. recieving reply on $dmz from 172.16.1.10 to 192.168.10.3
14. searching a state using a (straight) key 172.16.1.10-192.168.10.3
15. there is no such state
16. matching against ruleset
17. using rule @1
Hope I am correct. :)
So, you can modify first rule:
@0 pass on $dmz (no direction keyword)
Now pf can create a state when sending initial packet from 192.168.10.3
to 172.16.1.10. Outgoing packet will generate a state with reversed key
172.16.1.10-192.168.10.3. Then reply packet(s) will match this state
(traffic from 172.16.1.10 to 192.168.10.3).
Or you can create "pass out on $dmz..." rule.
02.12.2019 16:40, Victor Sudakov пишет:
> Max wrote:
>> Is this a complete ruleset?
> For this lab, yes, almost complete. There is only one more line,
> "nat on $outside ...", but strickly speaking, "nat" is not a rule.
>
>> What about "pass out..." rules?
> Why would I need them? In pf, it's "pass" by default.
>
>> You should
>> check other rules since you have no "quick" in your listed rules.
> 1. There are no other rules.
>
> 2. Even if there were, they should be irrelevant because the
> "pass in on $inside" rule should create state, and states are processed
> before rules.
>
>> The last matching rule decides what action is taken.
> The last matching rule on the $inside interface is
> "pass in on $inside".
>
> The last matching rule on the $outside interface is
> "block in on $dmz from any to 192.168.0.0/16"
>
>
More information about the freebsd-pf
mailing list