Hello everyone,
I'm trying to replace a crufty pf.conf which has evolved badly, and I
think doesn't fully uses the stateful capabilities of pf. The problem
is that there must be something I don't really understand about
states.
My plan was to write a pf.conf with almost no "out" clauses. A packet
cames from an interface, if it's "good", keep state and forget about
the entire conversation. So, as a start I have write a pf.conf like
this (three interfaces, lan, inet, dmz):
tcp_inet_services="{ smtp, submission, https, www, domain }"
tcp_lan_services="{ smtp, submission, https, www, 8080, ssh, \
domain }"
ssh_port="{ 22 }"
udp_inet_services="{ domain, isakmp, ipsec-nat-t }"
udp_lan_services="{ domain }"
#set skip on lo0
#set loginterface $ext_if
#scrub in all fragment reassemble
set state-policy floating
# Redirecciones/NAT
nat on $ext_if from $estaciones_edi to $servidores_edi -> $dmz_if:0
# Por defecto bloquear. Intentamos no usar out, solo in y "keep state"
# clasificando en interfaz de entrada del paquete.
block in log all
# VPN's
pass in quick on $ext_if from 192.168.200.0/24 to any keep state
pass in quick on $int_if from 192.168.0.0/16 to 192.168.200.0/24 keep state
# Trafico entrante INET
pass in quick on $ext_if proto tcp from any to $dmz_range port
$tcp_inet_services flags S/SA keep state
pass in quick on $ext_if inet proto icmp all icmp-type echoreq keep state
#pass in quick on $ext_if proto esp from any to $dmz_range queue ipsec_q
pass in quick on $ext_if proto esp from any to $dmz_range
pass in quick on $ext_if proto udp from any to $dmz_range port
$udp_inet_services keep state
# Trafico entrante LAN
pass in quick on $int_if proto tcp from any to $dmz_range port
$tcp_lan_services flags S/SA modulate state
pass in quick on $dmz_if proto tcp from any to $dmz_range port
$ssh_port flags S/SA modulate state
pass in quick on $int_if proto icmp from any to $dmz_range keep state
#pass in quick on $int_if from { $dmz_if:0 } to $servidores_edi flags
S/SA keep state
pass in quick on $int_if from $estaciones_edi to $servidores_edi flags
S/SA keep state
# Trafico entrante DMZ
pass in quick on $dmz_if proto icmp from any to any keep state
pass in quick on $dmz_if proto tcp from any to any port { www, smtp,
https } keep state
# Trafico hacia fw
pass in quick proto tcp from any to { $int_if:0, $ext_if:0 } port {
ssh } keep state
pass in quick inet proto icmp all icmp-type echoreq keep state
# Trafico desde fw
pass out quick proto udp from any to any port { domain, ntp } keep state
--------------------------------------------------------------------------------------
With this config, I can't access "dmz hosts" from lan or internet. The
state gets created:
all tcp $dmz_ip:25 <- 192.168.1.161:19399 CLOSED:SYN_SENT
but the response is blocked:
Jan 16 19:32:59.627083 rule 0/(match) block in on xl2: $dmz_ip.25 >
192.168.1.161.19399: [|tcp] (DF)
So, there's something I don't understand from pf.conf man page
"
If a packet matches a pass ... keep state rule, the filter creates a
state for this connection and automatically lets pass all subsequent
packets of that connection.
"
If just someone could show me what's wrong here, and why....
I'm running 4.0, if that matters.
Thanks in advance, Samuel
