On Tue, Nov 03, 2009 at 03:32:29PM +0200, Alexander Shikoff wrote:
| Hello!
|
| I have strange behavior of pf on my 4.6 box.
|
| Filtering rules are present in pf.conf in next order:
| block in all
| pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh
| pass out quick on $ext_if
| pass in quick on $ext_if no state
| pass in quick on vlan609 from vlan609:network to any no
state
| pass out quick on vlan609 from any to vlan609:network no
state
| pass in quick on vlan621 from 10.51.109.16/29 to any no
state
| pass out quick on vlan621 from any to 10.51.109.16/29 no
state queue to_Akim
| pass in quick on vlan621 from 10.51.109.40/29 to any no
state
| pass out quick on vlan621 from any to 10.51.109.40/29 no
state queue to_Gonta
| pass in quick on vlan622 from vlan622:network to any no
state
| pass out quick on vlan622 from any to vlan622:network no
state
| pass in quick on vlan664 from vlan664:network to any no
state
| pass out quick on vlan664 from any to vlan664:network no
state
| pass in quick on vlan781 from vlan781:network to any no
state
| pass out quick on vlan781 from any to vlan781:network no
state
| pass in quick on vlan783 from vlan783:network to any no
state
| pass out quick on vlan783 from any to vlan783:network no
state
|
|
|
| But after they loaded pfctl -sr shows another order:
| block drop in all
| pass in quick on vlan2 proto tcp from any to (vlan2) port = ssh flags S/SA
keep state (if-bound)
| pass out quick on vlan2 all flags S/SA keep state (if-bound)
| pass in quick on vlan609 inet from 10.51.9.0/24 to any no state
| pass in quick on vlan621 inet from 10.51.109.16/29 to any no state
| pass in quick on vlan2 all no state
| pass out quick on vlan609 inet from any to 10.51.9.0/24 no state
| pass out quick on vlan621 inet from any to 10.51.109.16/29 no state queue
to_Akim
| pass in quick on vlan621 inet from 10.51.109.40/29 to any no state
| pass out quick on vlan621 inet from any to 10.51.109.40/29 no state queue
to_Gonta
| pass in quick on vlan622 inet from 10.51.109.0/28 to any no state
| pass in quick on vlan622 inet from 10.51.109.56/29 to any no state
| pass in quick on vlan781 inet from 10.53.31.0/25 to any no state
| pass in quick on vlan781 inet from 10.53.31.128/25 to any no state
| pass in quick on vlan664 inet from 10.52.14.0/24 to any no state
| pass in quick on vlan783 inet from 10.53.33.0/24 to any no state
| pass out quick on vlan622 inet from any to 10.51.109.0/28 no state
| pass out quick on vlan622 inet from any to 10.51.109.56/29 no state
| pass out quick on vlan781 inet from any to 10.53.31.0/25 no state
| pass out quick on vlan781 inet from any to 10.53.31.128/25 no state
| pass out quick on vlan664 inet from any to 10.52.14.0/24 no state
| pass out quick on vlan783 inet from any to 10.53.33.0/24 no state
|
| Does anyone know how to disable this? Thanks in advance!
Why do you want to disable this ? And why are you using no state ?
What you're seeing is the result of the ruleset optimizer. See
pf.conf(5) for more details and how to disable this. My suggestion is
to *not* disable it though. What problem does the reordering give
you ? Maybe you want to look into antispoof and urpf too, while you're
at it.
And, really, why are you using 'no state' ?
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
