(Detailed description of problem, broached on "faults list" topic)
Two host, on oposite sides of gateway:
_______ __________ _______
| | | | | |
| 114.31 <-> 114.219 0.254 <-> 0.1 |
| priv | | step | | pub |
|_______| |__________| |_______|
where,
PRIV (192.168.114.31) is private network host
PUB (192.168.0.1) is public host
STEP (192.168.114.219/192.168.0.254) is firewall gateway
Target:
deny any access from PUB to PRIV, but allow PRIV to access PUB's
resources (at least, pings and TCP)
OS version:
step# uname -a
OpenBSD step.oganer.net 4.2 GENERIC#0 i386
Ruleset variants and PF's behavior (trying to ping PUB and connect to
it's webserver):
block in inet from 192.168.0.1 to 192.168.114.31
pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(does not work - neither pings nor TCP)
Preferred version, because it does not affect queueing
step# pfctl -ss
all icmp 192.168.0.1:512 <- 192.168.114.31 0:0
all tcp 192.168.0.1:80 <- 192.168.114.31:3538 CLOSED:SYN_SENT
block in inet from 192.168.0.1 to 192.168.114.31
pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(works)
step# pfctl -ss
all icmp 192.168.114.31:512 -> 192.168.0.1 0:0
all tcp 192.168.114.31:3547 -> 192.168.0.1:80 ESTABLISHED:ESTABLISHED
In addition:
block out inet from 192.168.0.1 to 192.168.114.31
pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(works)
step# pfctl -ss
all icmp 192.168.0.1:512 <- 192.168.114.31 0:0
all tcp 192.168.0.1:80 <- 192.168.114.31:3565 ESTABLISHED:ESTABLISHED
block out inet from 192.168.0.1 to 192.168.114.31
pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(does not work)
step# pfctl -ss
all icmp 192.168.114.31:512 -> 192.168.0.1 0:0
all tcp 192.168.114.31:3542 -> 192.168.0.1:80 ESTABLISHED:SYN_SENT
block inet from 192.168.0.1 to 192.168.114.31
pass in inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(does not work)
step# pfctl -ss
all icmp 192.168.0.1:512 <- 192.168.114.31 0:0
all tcp 192.168.0.1:80 <- 192.168.114.31:3566 CLOSED:SYN_SENT
block inet from 192.168.0.1 to 192.168.114.31
pass out inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(does not work)
step# pfctl -ss
all icmp 192.168.114.31:512 -> 192.168.0.1 0:0
all tcp 192.168.114.31:3572 -> 192.168.0.1:80 ESTABLISHED:SYN_SENT
And one more:
block inet from 192.168.0.1 to 192.168.114.31
pass inet from 192.168.114.31 to 192.168.0.1 flags S/SA keep state
(works)
step# pfctl -ss
all icmp 192.168.0.1:512 <- 192.168.114.31 0:0
all icmp 192.168.114.31:512 -> 192.168.0.1 0:0
all tcp 192.168.0.1:80 <- 192.168.114.31:3574 ESTABLISHED:ESTABLISHED
all tcp 192.168.114.31:3574 -> 192.168.0.1:80 ESTABLISHED:ESTABLISHED
Supposition:
In all non-working cases, answer packets, somewhy does not match
created state (by iface and/or direction ?), and are blocked by
block rule. In last case, each communication stream creates 2
states.
"state-policy" option setting to "floating" or "if-bound" does not
change situation.
Questions:
Is this some kind of feature ? Is there any solution to make PF
behave other way (for example, to work w/ first ruleset variant) ?
Ilya A. Kovalenko (mailto:[EMAIL PROTECTED])
