On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote:
> With this config, I can't access "dmz hosts" from lan or internet. The
> state gets created:
>
> all tcp $dmz_ip:25 <- 192.168.1.161:19399 CLOSED:SYN_SENT
>
> but the response is blocked:
>
> Jan 16 19:32:59.627083 rule 0/(match) block in on xl2: $dmz_ip.25 >
> 192.168.1.161.19399: [|tcp] (DF)
>
> So, there's something I don't understand from pf.conf man page
> "
> If a packet matches a pass ... keep state rule, the filter creates a
> state for this connection and automatically lets pass all subsequent
> packets of that connection.
> "
>
> If just someone could show me what's wrong here, and why....
Someone please correct me if I'm wrong, but I believe that the 'keep state'
only applies to the opposite packets through the same interface. For
example:
pkt1 +----------------+ pkt1'
-------> | ext_if int_if | ------>
<------- | | <------
pkt2 +----------------+ pkt2'
A rule which matches pkt1 inbound on ext_if with "keep state" will also
match pkt2 outbound on ext_if.
But I believe you will need another rule to permit pkt1' outbound via
int_if. If that rule has "keep state" then it will also match pkt2' inbound
via int_if.
If you look at the example at
http://www.openbsd.org/faq/pf/example1.html
you will see that they deal with this by a global "pass out keep state"
rule. Try adding this to your ruleset after your "block in log all"
If you were to argue that pf.conf(5) is unclear on this point, especially
where it it says
By default, packets coming in and out of any interface can match a state
then I would not disagree with you :-)
HTH,
Brian.
