Hi,
On Mon, Jun 27, 2005 at 07:06:23AM +0200, Cedric Berger wrote:
> >rdr on vlan4 inet proto tcp from any to any port 80 -> $proxy port 3128
> >[...]
> >Should states from rdr rules honor set state-policy if-bound? I
> >realize my setup may be ugly, just asking.
>
> They should, yes, if you have a separate "pass on vlan4 XXX keep state"
> rule.
> They might not honor set state-policy if you use "rdr pass".
> Is it not working? what is the "pfctl -ss" output?
Repeated setup:
/ vlan1 \ / vlan2 - lan1
wan - router - - fxp0 bridge fxp1 -
\ vlan3 / \ vlan4 - lan2
I have a "pass quick on { vlan1, vlan3, vlan4 } all" and a relevant
"pass out quick on vlan2 proto tcp from $lan2 to $proxy port 3128 \
flags S/SA modulate state"
With these rules I get state entries like
vlan2 tcp $lan2-client:1050 -> $proxy:3128 ESTABLISHED:SYN_SENT
self tcp $proxy:3128 <- [...]:80 <- $lan2-client:1050 SYN_SENT:ESTABLISHED
and the connection times out since packets get dropped on the router going
out on vlan3 and claiming to come from the web server.
However, I tried your idea of creating a relevant rule on vlan4:
pass in quick on vlan4 proto tcp from any to $proxy port 3128 flags S/SA \
modulate state
Surprisingly (to me), the states now looks like this:
vlan2 tcp $lan2-client:1051 -> $proxy:3128 ESTABLISHED:ESTABLISHED
vlan4 tcp $proxy:3128 <- [...]:80 <- $lan2-client:1051 ESTABLISHED:ESTABLISHED
i.e. the rdr state suddenly became if-bound. Is there an explanation for this
or am I misunderstanding some fundamental stuff about states? Why is the rdr
rule suddenly becoming if-bound instead of another state appearing like
vlan4 tcp $proxy:3128 <- $lan2-client:1051 [...]?
With your hint it obviously works now. However, I'd rather like 1) to know
why it works and 2) not having to overly include vlan4 in the ruleset.
Can't the rdr rule create an if-bound state in itself? IMHO, this would be
cleaner since I could ignore any interfaces besides vlan2 in filter rules.
I'd be glad for any insight.
Thanks,
ND
