On Wed, Oct 29, 2003 at 03:19:19PM +0100, Federica Renzetti wrote:
> I have some problem with "keep state",
> I want know if this:
>
> pass in from 2001:760:1::1/128 to any
> pass in from any to 2001:760:2:1::1/128
>
> are equivalent a that:
>
> pass in from 2001:760:1::1/128 to any keep state
No, they are not equivalent. Assuming a default block policy, the former
will not allow any outgoing packets, not even outgoing replies relating
to incoming connections. It wouldn't allow any TCP connection to get
successfully established (neither incoming nor outgoing).
If you meant the first rule to read 'pass out from ...' (and possibly
2001:760:1::1/128 instead of 2001:760:2:1::1/128 in the second rule),
please correct the example.
Your stateful rule (assuming anything else is blocked) will allow only
incoming connections (not outgoing ones), but will also allow outgoing
packets that are part of those incoming connections. It will also allow
incoming and outgoing ICMP errors relating to the allowed incoming
connections, even from sources other than 2001:760:1::1/128 (like, a
router on the path between you and 2001:760:1::1/128 that sends a source
quench or redirect).
You basically can't express the same policy (pass exactly the same
packets, blocking exactly the same packets) with stateless rules. Even
more general, 'keep state' can't be fully replaced with stateless rules.
Example:
block all
pass in proto tcp from any to $ext_if port 80 keep state
will allow only incoming connections to port 80, but all packets
relating to those connections will pass (including outgoing replies and
icmp errors), which ensures that these connections work. Anything else
is blocked, no outgoing connections are allowed, even if they originate
from port 80.
Now compare to:
block all
pass in proto tcp from any to $ext_if port 80
pass out proto tcp from $ext_if port 80 to any
This somewhat approximates the former ruleset, allowing incoming packets
to port 80, and allowing outgoing packets from port 80 (replies).
But it will
a) block any ICMP errors, some of which (like need-to-fragment) can
be vital to the connections, breaking connections when blocked.
b) allow outgoing connections from port 80 to any external address
and port
No matter how much stateless rules you add, you'll never get exactly the
equivalent of the simple 'keep state' rule above.
Daniel
