Re: [External] : Traffic being dropped between interfaces

Mon, 02 May 2022 22:33:15 -0700 

Hello Ian,
On Mon, May 02, 2022 at 10:55:47PM +0100, Ian Chilton wrote:
> Hi,
> 
> On Mon, 2 May 2022 at 21:28, Alexandr Nedvedicky <
> [email protected]> wrote:
> 
> > > is there a pfsync(4) configured between gw2 and gw1?
> 
> 
> Yes!
> 
> 
>         ICMP reply arrives to gw1. It enters pf(4) as inbound packet.
> >         inbound ICMP reply is allowed by state. pf(4) accepts packet.
> >         packet enters IP stack at gw1, which forwards the packet towards
> >         destination.
> >
> >         when packet reaches outbound NIC at gw1 it is intercepted
> >         by pf again as outbound ICMP reply. There is no state, which
> >         allows outbound ICMP reply. pf checks rules for ICMP reply:
> >                 pass quick {icmp, icmp6} all
> >         rule does not match, because implicit 'keep state', is not
> >         allowed to create state for icmp replies.
> 
> 
> but surely that should match the same state entry [that allowed it to
> ingress]??
> 

    there is a difference how pf(4) is processing local and forwarded
    traffic. In case of local bound traffic the pf(4) intercepts packet
    exactly once. For local outbound session story goes like that:

        local process sends packet
                |
                V
        packet is intercepted by firewall
                |
                V
        if packet is allowed by firewall (either due to existing
        state or matching pass rule), packet leaves the host.


    for forwarded packet the story is different, packet is intercepted
    twice:

        inbound packet enters host and is intercepted by firewall
                |
                V
        firewall either finds matching state or rule
        to allow packet to enter a host IP stack
                |
                V
        accepted packet enters IP stack and is forwarded
        towards its destination via  outbound NIC
                |
                V
        outbound packet is intercepted by firewall,
        if firewall finds either matching state or matching rule,
        then packet is allowed to leave host

    pf(4) for forwarded packets indeed keeps a pair of states.
    if either state is missing, than no forwarding can happen.

> 
> On a separate, but related note. I’m clearly missing some fundamental
> understanding of stateful firewalls, but when there is a rule saying “allow
> all ICMP”, then surely all ICMP should then be allowed, regardless of state?

    such rule must either relax stateful check (sloppy) or give up
    stateful check completely (no state). pf is stateful firewall by
    default. So if no option on state handling is specified, then
    pf does full/strict state check by default.

regards
sashan

Reply via email to