Dear Colleagues, I'm trying to figure out the difference between floating and if-bound states. Let's consider a simple ruleset with just 2 rules:
root@fw:~ # pfctl -vvs rules No ALTQ support in kernel ALTQ related functions disabled @0 block return in on dmz all [ Evaluations: 2282 Packets: 1022 Bytes: 85848 States: 0 ] [ Inserted: uid 0 pid 822 State Creations: 0 ] @1 pass in on inside all flags S/SA keep state [ Evaluations: 1771 Packets: 511 Bytes: 42924 States: 1 ] [ Inserted: uid 0 pid 822 State Creations: 1 ] root@fw:~ # Let's ping host 172.16.1.10 (attached to the "dmz" interface) from host 192.168.10.3 (attached to the "inside" interface) via the router. Echo requests from 192.168.10.3 to 172.16.1.10 match Rule 1 and are passed, and echo replies from 172.16.1.10 to 192.168.10.3 match Rule 0 and are blocked by the rule. However, pinging 172.16.1.10 from 192.168.10.3 creates the following "all" state: root@fw:~ # pfctl -vvs state No ALTQ support in kernel ALTQ related functions disabled all icmp 172.16.1.10:31234 <- 192.168.10.3:31234 0:0 age 00:12:08, expires in 00:00:10, 694:0 pkts, 58296:0 bytes, rule 1 id: 000000005df37f65 creatorid: 66d731d7 root@fw:~ # Why is this state not permitting the reversed packets (echo replies) from 172.16.1.10 to 192.168.10.3 incoming via the "dmz" interface? It is my understanding that with the default "state-policy=floating", reversed packets should be passed from 172.16.1.10 to 192.168.10.3, but it is not happening. This behaviour would be expected with "state-policy=if-bound", but with "state-policy=floating" shouldn't the states be global? What am I missing? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature
