On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:
> Thanks for the information. This is the first time that I've used PF as a
> router based firewall and not with NAT. I didn't know that the state was on
> a per interface basis, and not global to the system. So this means that
> unless I want to allow all outbound traffic from my firewall, I need to
> have a matching pass out rule for all the pass in rules for which I want to
> restrict the inbound interface (ie for which I don't want to put just pass
> for)?
No, states are by default global and not tied to an interface. See man
pf.conf.
-Otto
>
> The reason I need quick, especially on a few of these rules, is that the
> firewall will be establishing 3 to 6 thousand new sessions per second and
> managing betwee 300 000-500 000 state entries. This means that if it's one
> state entry per interface, this effectively doubles the state table size.
>
> Thanks for the other tips by other people for lists and the implicit keep
> state, I hadn't even realized I had omitted important lists and didn't know
> about the implicit keep state.
>
> Jon Radel wrote:
>> You appear making use of the default pass rule for all your outbound
>> traffic, as I didn't notice a single rule that applied to outbound
>> traffic (other than your block port 0, CARP, PFSync, and ping rules). I
>> don't believe that can be counted on to establish state.
>>
>> So a packet arrives on an interface, is allowed in with a "pass in quick
>> on XX" and state is established. The packet is then routed out YY,
>> which is allowed since there is no rule to block it. There is, however,
>> no state established on interface YY, so the return packet is dropped
>> unless you have a rule explicitly allowing that packet in.
>>
>> Try dropping a
>>
>> pass out all
>>
>> into the rule set to see if things get better. (As a test, think about
>> the implications before you put that into production.)
>>
>> --Jon Radel
