pf behavior question
Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 rule 3 . . rule n pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no quick on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf behavior question (addendum)
Sorry. Forgot to ask: Will the packet be actually tagged on the first rule, even though rule parsing continues? will it reach the last rule already tagged? Thanks again. Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 rule 3 . . rule n pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no quick on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf behavior question (addendum)
Sorry. Forgot to ask: Will the packet be actually tagged on the first rule, even though rule parsing continues? will it reach the last rule already tagged? Thanks again. Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 rule 3 . . rule n pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no quick on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winfoes FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf behavior question
On 16/07/2010 18:22:04, Mario Lobo wrote: Hi; System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT 2010 i386 The question is about how pf acts on an specific situation. Supose I have the following rules: pass in log inet proto tcp from $int_if to any port 8021 flags S/SA keep state tag test rule 2 rule 3 . . rule n pass in log quick on $int_if inet proto tcp tagged test keep state queue (ftp) Suppose the packet matches the first rule. According to what I red about pf, it will keep parsing the rules (no quick on the first rule). When it reaches the last rule, the tag will match and the packet will pass. I don't believe I'll have 2 state table entries for the same packet after the last rule matches. or will I? What is the proper way to use the tag created on the first rule, as far as the state table is concerned? Correct, essentially. No, you won't end up with two entries in the state table from this -- it's only the last matching rule that causes the state table to be modified. In fact, you simply can't have two state table entries for the same (i/f, proto, srcaddr, srcport, destaddr, destport) tuple, because those six quantities are together used as the index into the state table. (Note: i/f is usually 'all' unless you've 'set state-policy if-bound' or equivalent, so generating state on one interface allows a packet to pass on any interface.) You don't get much from using tagging in the case you show -- as you've only got one rule to apply tags you might as well have let that been the place where you decided to pass or block the packet. Tagging is a lot more useful where you need several different rules to identify a particular class of traffic: you can apply the tag from several different matching rules, and then have just one rule to express your policy for that class of traffic. See the example in http://www.openbsd.org/faq/pf/tagging.html which gives a pretty good idea how it all works. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: pf behavior question
On Friday 16 July 2010 20:58:31 Matthew Seaman wrote:
On 16/07/2010 18:22:04, Mario Lobo wrote:
Hi;
System: 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Fri Jun 11 09:41:37 BRT
2010 i386
The question is about how pf acts on an specific situation.
Supose I have the following rules:
pass in log inet proto tcp from $int_if to any port 8021
flags S/SA keep state tag test
rule 2
rule 3 .
.
rule n
pass in log quick on $int_if inet proto tcp tagged test keep state queue
(ftp)
Suppose the packet matches the first rule.
According to what I red about pf, it will keep parsing the rules (no
quick on the first rule). When it reaches the last rule, the tag will
match and the packet will pass.
I don't believe I'll have 2 state table entries for the same packet after
the last rule matches. or will I?
What is the proper way to use the tag created on the first rule, as far
as the state table is concerned?
Correct, essentially.
No, you won't end up with two entries in the state table from this --
it's only the last matching rule that causes the state table to be
modified. In fact, you simply can't have two state table entries for
the same (i/f, proto, srcaddr, srcport, destaddr, destport) tuple,
because those six quantities are together used as the index into the
state table. (Note: i/f is usually 'all' unless you've 'set
state-policy if-bound' or equivalent, so generating state on one
interface allows a packet to pass on any interface.)
Ok. That confirms my suspicions.
You don't get much from using tagging in the case you show -- as you've
only got one rule to apply tags you might as well have let that been the
place where you decided to pass or block the packet. Tagging is a lot
more useful where you need several different rules to identify a
particular class of traffic: you can apply the tag from several
different matching rules, and then have just one rule to express your
policy for that class of traffic. See the example in
http://www.openbsd.org/faq/pf/tagging.html which gives a pretty good
idea how it all works.
I think that my case applies to that exactly
Take the following excerpt from my pf.conf:
I tag the packets on their way in from lan. The ports are queued on their way
out, prioritizing the ports accordingly.
The tag ftp_proxy is put there by the ftp-proxy program, which is why this
question came up. I want ftp packets to have the lowest priority, so allowing
ftp-proxy to tag them, I can direct them to any queue I want on their way in
or out.
ftp-proxy insert these rules (real example):
@0 pass in log inet proto tcp from 172.16.3.145 to 129.128.5.191 port =
61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0
@1 pass out log inet proto tcp from 189.12.120.11 to 129.128.5.191 port =
61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0
look at the outlined pass out rule bellow. These 2 rules will match but
parsing continues until they reach the pass out rule, where I queue them where
I want. At least that the idea.
I am using if-bound and I have altq on both lan_if and ext_if.
Allow_tcp_ports_lan = {21, 53, 67, 68, 80, 443, 143, 445, 587, 995, 1433,
1863, 110, 3000, 5061, 1723, 3389, 8933, 135}
Allow_tcp_ports_lab = {53, 80, 443, 3389}
# from LAN ---
pass in log quick on $lan_if inet proto tcp from $lan_if:network to !$lan_if
port $Allow_tcp_ports_lan keep state tag to_out
pass in log quick on $lan_if inet proto udp from $lan_if:network to !$lan_if
port $Allow_udp_ports_lan keep state tag to_out
# To INTERNET--
pass out log quick on $ext_if inet proto tcp from any to any port 8933
tagged to_out modulate state queue (ssh_bulk, ack)
pass out log quick on $ext_if inet proto tcp from any to any port pptp
tagged to_out modulate state queue (ssh_bulk, ack)
pass out log quick on $ext_if inet proto tcp from any to any port ssh
tagged to_out modulate state queue (ssh_bulk, ssh_login)
pass out log quick on $ext_if inet proto tcp from any to any port smtp
tagged to_out modulate state queue (mail, ack)
pass out log quick on $ext_if inet proto tcp from any to any port http
tagged to_out modulate state queue (web)
pass out log quick on $ext_if inet proto tcp from any to any port https
tagged to_out modulate state queue (web)
pass out log quick on $ext_if inet proto tcp from any to any port 444
tagged to_out modulate state queue (web)
pass out log quick on $ext_if inet proto tcp from any to any port 81
tagged to_out modulate state queue (web)
pass out log quick on $ext_if inet proto tcp from any to any port 82
tagged to_out modulate state queue (web)
pass out log quick on $ext_if inet proto tcp from any to any port domain
tagged to_out modulate state queue (dns, ack)
pass out log quick on $ext_if inet proto udp from any to any port domain
tagged
