Re: Understanding if-bound vs floating state policy

Fri, 13 Dec 2019 07:01:33 -0800 

Alexandr Nedvedicky wrote:

[dd]

> > Why is this state not permitting the reversed packets (echo
> > replies) from 172.16.1.10 to 192.168.10.3 incoming via the "dmz" interface?
> > 
> > It is my understanding that with the default "state-policy=floating",
> > reversed packets should be passed from 172.16.1.10 to 192.168.10.3,
> > but it is not happening.
> > 
> > This behaviour would be expected with "state-policy=if-bound", but
> > with "state-policy=floating" shouldn't the states be global?
> > 
> > What am I missing? 
> 
>     according to my understanding the state got created by
>     inbound rule bound to 'inside' interface. 


Correct. That was my intention.

> Such state allows
>     further packets:
> 
>       192.168.10.3 -> 172.16.1.10  @ inbound
>       172.16.1.10  -> 192.168.10.3 @ outbound

Well, if the "pfctl -vvs state" showed those inbound and outbound
markers, I would have probably suspected something. Unfortunately it
presents the state as "all."

> 
>     these are all packets, which are allowed by by state created
>     by your 'pass in' rule.
> 
>     The forwarding essentially means the packets cross two interfaces.
>     It means the PF running on your host sees the packet two times. 


This is certainly true for pf rules. However, states are processed
before rules, arent't they?


>     time the packet is seen as inbound second time it is seen as outbound.

Seen by the rules, yes. But isn't the state table supposed to be checked
*before* rules?

>     For ICMP requests story goes like this:
> 
>       192.168.10.3 -> 172.16.1.10  @ inbound
>       192.168.10.3 -> 172.16.1.10  @ outbound
> 
>     for ICMP replies:
>       172.16.1.10  -> 192.168.10.3 @ inbound
>       172.16.1.10  -> 192.168.10.3 @ outbound
> 
>     Now it should become obvious your firewall is missing state, which allows
>     replies. There is no state, which allows inbound ICMP reply, and there is
>     no such rule, which allows inbound ICMP rule.

I see now. The state-policy=floating mislead me into believing that the 
state table was global. Thank you for explaining.

But then, what is the real difference betwttn if-bound and global?


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

Attachment: signature.asc
Description: PGP signature

Reply via email to