Hallo!
I am in the middle of re-reading firewall's pf rules and trying to set
them up more like OpenBSD's way but it seems that i cant figure out on
my own the meaning of state-policy though i read serveral times manual
and searched also list archive.
In a test environment i have following setup of three boxes, OpenBSD in
the middle as router
10.0.99.2 <----> 10.0.99.1 (nfe0) PF 192.168.1.102 (rl0) <---->
192.168.1.254
First, lets start with if-bound state-policy, pf.conf goes like this
set state-policy if-bound
block all
pass in quick on rl0
pass out quick on nfe0
i verified i can connect successfully from right to left ie
192.168.1.254# ssh [EMAIL PROTECTED]
and at the same time appear two state entries which existance i can
cofirm from pfctl -ss's output
rl0 tcp 10.0.99.2:22 <- 192.168.1.254:37848 ESTABLISHED:ESTABLISHED
nfe0 tcp 192.168.1.254:37848 -> 10.0.99.2:22 ESTABLISHED:ESTABLISHED
# pfctl -sa | grep -i "current entries" says
current entries 2
Secondly, leaving the set policy line out ie setting it effectively on
floating i see these two states
all tcp 10.0.99.2:22 <- 192.168.1.254:22290 ESTABLISHED:ESTABLISHED
all tcp 192.168.1.254:22290 -> 10.0.99.2:22 ESTABLISHED:ESTABLISHED
pftop -a -b also shows on both cases two lines, similar to this
tcp I 192.168.1.254:3203 10.0.99.2:22 4:4 1 86399 5 311
tcp O 192.168.1.254:3203 10.0.99.2:22 4:4 1 86399 5 311
and lastly i tried to leave last pass out line out using floating
state-policy and cant connect any more.
Manual says about these two policies
* if-bound - states are bound to the interface they're created on.
If traffic matches a state table entry but is not crossing the
interface recorded in that state entry, the match is rejected. The
packet must then match a filter rule or will be dropped/rejected
altogether.
* floating - states can match packets on any interface. As long as
the packet matches a state entry and is passing in the same
direction as it was on the interface when the state was created,
it does not matter what interface it's crossing, it will pass.
Obviously i must be using the floating state-policy feature incorrectly
since in both cases i have the same number of rules and states but from
the manual i have an impression that using floating policy pf ruleset
gets simplified.
I would be most thankful if somebody could give me an example in the
light (or should i say darkness) of my tests how using different
state-policies makes difference in arranging rules and also of having
the number of states.
And also, is it correct to think of states as associated with specific
interface or to kernel in general?
Best regars,
Imre Oolberg
