It was not my intention to argue with anybody, I was trying to understand
why the packet was blocked and reply to Daniel got bounced, so I posted it
in the distro. I got it now, IN packet state doesn't match IN packets, only
OUT. Thank you.
Vadym
----- Original Message -----
From: "Kian Mohageri" <[EMAIL PROTECTED]>
To: "Vadym Chepkov" <[EMAIL PROTECTED]>
Cc: <[email protected]>
Sent: Thursday, February 28, 2008 9:56 AM
Subject: Re: floating keep state
On Wed, Feb 27, 2008 at 8:02 PM, Vadym Chepkov <[EMAIL PROTECTED]> wrote:
set block-policy return
set state-policy floating
pass in log quick proto udp from any to 10.10.10.1 port domain keep
state
block in log from any to 10.10.11.254
22:58:14.296303 rule 0/0(match): pass in on xl1: 10.10.11.254.32772 >
10.10.10.1.53: 45616+[|domain]
22:58:14.296965 rule 1/0(match): block in on xl0: 10.10.10.1.53 >
10.10.11.254.32772: 45616*-[|domain]
States not only have address/port pairs in them (among other things),
but they also have a direction.
The request packet (coming in on xl1) creates a state that will match
the following:
10.10.11.254:32772 ==> 10.10.10.1:53 (IN)
10.10.10.1:53 ==> 10.10.11.254:32772 (OUT)
The same packet is filtered again on xl0, but notice it will not match
this state because its direction is now "out". As Daniel said, it's
passed anyway because of the implicit pass rule at the end of your
ruleset (by the way this makes it difficult to troubleshoot problems).
Server receives packet and replies:
10.10.10.1:53 ==> 10.10.11.254:32772 (IN)
Notice this will not match the state created above (direction is IN,
not OUT), and it will also be blocked by your second rule.
-Kian
PS: You'd be smart to listen to Daniel's suggestions as he wrote pf ;)
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
