Re: [External] : Traffic being dropped between interfaces

Thu, 05 May 2022 11:00:44 -0700 

Hello Ian,

it took me a while to figure out what's exactly is going on here.

On Tue, May 03, 2022 at 04:13:44PM +0100, Ian Chilton wrote:
> Hi,
> 
> I just tried TCP this afternoon.
> 
> keep state (sloppy) does only fix ICMP.... TCP connections are still blocked 
> :(

    this is your rule for tcp/udp:

        pass out quick on { admin, external, linknet } proto { tcp, udp }

    it's worth to check how single line above expands when
    it is loaded to kernel:

        lumpy$ echo 'pass out quick on { admin, external, linknet } proto { 
tcp, udp }' |pfctl -nvf -                     
        pass out quick on admin proto tcp all flags S/SA
        pass out quick on admin proto udp all
        pass out quick on external proto tcp all flags S/SA
        pass out quick on external proto udp all
        pass out quick on linknet proto tcp all flags S/SA
        pass out quick on linknet proto udp all

    note there is 'flags S/SA' option, which match TCP SYN packets only.
    so the story here is very similar as what we've seen for ICMP:

        gw1 receives state from gw2 via pfsync.

        the received state allows inbound SYN|ACK packet

        gw1 forwards SYN|ACK packet to its destination.

        the forwarded packet is intercepted at gw1 as outbound this time
        outbound SYN|ACK does not match a state. It also does not match
        the pass rule, so it gets blocked by matching block rule.


    also note that 'keep state (sloppy)' tuning knob does not help here:

        lumpy$ echo 'pass out quick on { admin, external, linknet } proto { 
tcp, udp } keep state (sloppy)' |pfctl -nvf - 
        pass out quick on admin proto tcp all flags S/SA keep state (sloppy)
        pass out quick on admin proto udp all keep state (sloppy)
        pass out quick on external proto tcp all flags S/SA keep state (sloppy)
        pass out quick on external proto udp all keep state (sloppy)
        pass out quick on linknet proto tcp all flags S/SA keep state (sloppy)
        pass out quick on linknet proto udp all keep state (sloppy)

    the match option 'flags S/SA' is still present and matches SYN packets
    only.

    so to solve it one has to specify 'flags ...' option:

        pass out quick on { admin, external, linknet } proto { tcp, udp } flags 
SA/SA

    I would give a try to rule above. If it won't work then I would try to 
relax it with
    keep state (sloppy).

regards
sashan

Reply via email to