Hello,
On Fri, Dec 13, 2019 at 02:23:38PM +0700, Victor Sudakov wrote:
> Dear Colleagues,
>
> I'm trying to figure out the difference between floating and if-bound
> states. Let's consider a simple ruleset with just 2 rules:
>
> root@fw:~ # pfctl -vvs rules
> No ALTQ support in kernel
> ALTQ related functions disabled
> @0 block return in on dmz all
> [ Evaluations: 2282 Packets: 1022 Bytes: 85848 States: 0
> ]
> [ Inserted: uid 0 pid 822 State Creations: 0 ]
> @1 pass in on inside all flags S/SA keep state
> [ Evaluations: 1771 Packets: 511 Bytes: 42924 States: 1
> ]
> [ Inserted: uid 0 pid 822 State Creations: 1 ]
> root@fw:~ #
>
> Let's ping host 172.16.1.10 (attached to the "dmz" interface) from host
> 192.168.10.3 (attached to the "inside" interface) via the router.
>
> Echo requests from 192.168.10.3 to 172.16.1.10 match Rule 1 and are
> passed, and echo replies from 172.16.1.10 to 192.168.10.3 match Rule 0
> and are blocked by the rule.
>
> However, pinging 172.16.1.10 from 192.168.10.3 creates the following "all"
> state:
>
> root@fw:~ # pfctl -vvs state
> No ALTQ support in kernel
> ALTQ related functions disabled
> all icmp 172.16.1.10:31234 <- 192.168.10.3:31234 0:0
> age 00:12:08, expires in 00:00:10, 694:0 pkts, 58296:0 bytes, rule 1
> id: 000000005df37f65 creatorid: 66d731d7
> root@fw:~ #
>
> Why is this state not permitting the reversed packets (echo
> replies) from 172.16.1.10 to 192.168.10.3 incoming via the "dmz" interface?
>
> It is my understanding that with the default "state-policy=floating",
> reversed packets should be passed from 172.16.1.10 to 192.168.10.3,
> but it is not happening.
>
> This behaviour would be expected with "state-policy=if-bound", but
> with "state-policy=floating" shouldn't the states be global?
>
> What am I missing?
according to my understanding the state got created by
inbound rule bound to 'inside' interface. Such state allows
further packets:
192.168.10.3 -> 172.16.1.10 @ inbound
172.16.1.10 -> 192.168.10.3 @ outbound
these are all packets, which are allowed by by state created
by your 'pass in' rule.
The forwarding essentially means the packets cross two interfaces.
It means the PF running on your host sees the packet two times. The first
time the packet is seen as inbound second time it is seen as outbound.
For ICMP requests story goes like this:
192.168.10.3 -> 172.16.1.10 @ inbound
192.168.10.3 -> 172.16.1.10 @ outbound
for ICMP replies:
172.16.1.10 -> 192.168.10.3 @ inbound
172.16.1.10 -> 192.168.10.3 @ outbound
Now it should become obvious your firewall is missing state, which allows
replies. There is no state, which allows inbound ICMP reply, and there is
no such rule, which allows inbound ICMP rule.
you need to adjust a policy bit:
block return in on dmz all
pass out on dmz all
pass in on inside all
the 'pass out' rule will create the state, which will allow inbound ICMP
replies sent by hosts attached to dmz.
I hope my explanation sounds clear.
regards
sashan
