Re: state-policy floating Expectations

2018-05-01 Thread Kenneth Gober 
On Thu, Apr 26, 2018 at 2:40 PM, Daniel Melameth  wrote:
> The man page defines this as "States can match packets on any
> interfaces."  I understood this to mean that state created on one
> interface would automatically create state, or allow a related match,
> on another interface, but this is not the case.  Simple example:
>
> Host A
> 10.0.0.2
>
> Firewall
> 10.0.0.1 (hvn0)
> 10.0.1.1
>
> Host B
> 10.0.1.2
>
> /etc/pf.conf from the firewall:
> block log
> pass in on hvn0
>
>
> With the above, traffic cannot pass from A to B.  With pf disabled on
> the firewall, traffic passes.

"floating" does not mean that "pass in" rules also count as "pass out"
rules.  Instead it means that a "pass in" rule for hvn0 will allow
subsequent packets for that connection to be "passed in" even if they
arrive on a different interface.

I think this example might make it clearer what "floating" does:

Firewall
10.0.0.1 (hvn0)
10.0.0.11 (hvn1)
10.0.1.1 (hvn2)

/etc/pf.conf
block log
pass in on hvn0
pass in on hvn1
pass out on hvn2

With the above, when the first packet of a connection comes in on
either hvn0 or hvn1, state will be created.  If future packets switch
to coming in the other interface, they will be treated as part of the
already-established connection.

The pass out rule is still needed to ensure that traffic that is
allowed in, is also then allowed back out again.

-ken

state-policy floating Expectations

2018-04-26 Thread Daniel Melameth 
The man page defines this as "States can match packets on any
interfaces."  I understood this to mean that state created on one
interface would automatically create state, or allow a related match,
on another interface, but this is not the case.  Simple example:

Host A
10.0.0.2

Firewall
10.0.0.1 (hvn0)
10.0.1.1

Host B
10.0.1.2

/etc/pf.conf from the firewall:
block log
pass in on hvn0


With the above, traffic cannot pass from A to B.  With pf disabled on
the firewall, traffic passes.

I expected state to be created from the incoming packet, and a state
entry is, but the state is never complete/established (left as
CLOSED:SYN_SENT) and this does not work, obviously.  So, what's the
expanded definition of floating?  And how does this compare to
if-bound in the example above if it was applied to the pass rule?
I've found related threads from the past, but I'm still confused and
would appreciate a clue stick.

Thanks.