On Mon, May 02, 2022 at 03:47:02PM +0100, Ian Chilton wrote:
> Hi Claudio!
>
> On Mon, May 2, 2022 at 9:24 AM Claudio Jeker <[email protected]> wrote:
> > You have asymetric routing and with that stateful firewall rules will
> > cause you problems. In your case gw1 will block the ICMP reply because it
> > never encountered the ICMP request matching that reply.
>
> I do have pfsync on the hosts, so the state table is syncronised.
>
> Do you not use pfsync at all?
I only use pfsync if I have a pair of redundant firewalls. In that case
both firewalls connect to the same networks upstream and downstream and
they are identical.
pfsync(4) is at best eventually consistant and it is not fast enough to
handle asymetric routing. Sure there is the option to defer packets until
after a state has been synced but that is a bandaid introducing additional
delays in all connections.
> > On most of my BGP routers I have either pf disabled or I write the ruleset
> > so that only local traffic is stateful but all forwarded traffic uses a
> > no-state rule. IIRC even sloppy-state tracking will block some traffic
> > that's why I avoid that option.
>
> Interesting.
>
> Would you be willing to share your rules (or at least a redacted
> version) off-list, as a real example of how you do this?
Right now I run all border routers with pf disabled.
If not I would normally use something like:
set block-policy drop
pass no state
block all to <self>
pass in proto tcp from <allowed> to <self> port { bgp ssh }
# more rules using to <self> here
# locally initiated connections should establish state
pass out ! received-on any
I normally want my routers to not block traffic this is why I disable pf.
In some cases I use 'set skip on { interfaces }' to bypass some interfaces
and just filter on some others. 'set skip on' is faster than evaluating a
ruleset for every packet. I try to stay away from sloppy state matching
but in some cases it is required (e.g. to alter the MTU):
pass on gif0 inet proto tcp scrub (max-mss 1440) keep state (sloppy)
pass on gif0 inet6 proto tcp scrub (max-mss 1420) keep state (sloppy)
One reason I prefer to have no states on routers is the fact that
during an attack the state table can easily hit the limit.
I do have redunant firewalls with BGP and on those pfsync is used.
On those systems BGP announces the internal network with the nexthop of
the carp IP. The firewalls each have individual IPs as well and I use
those IPs for outgoing traffic (not a loopback IP).
If you use a loopback IP like in your case you need to make sure that
traffic is not flowing back via the other firewall. You're in trouble
the moment you have traffic that flows partially over both firewalls.
Because of this I ssh to the firewalls with their internal or external
IPs depending on where I am.
--
:wq Claudio
