Le 13/12/2006 à 18:31:10+0100, Daniel Hartmeier a écrit
> On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote:
Thanks for you answer
>
> > It's a problem with FreeBSD or it's with pf ?
>
> With neither, you're assuming a state entry has the same effect in pf as
> in ipfw, which is not the case.
OK.
>
> > For example I've put this kind of rule
> >
> > pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state
> >
> > When I try to connect from IP-A to IP-B using ssh the connection don't
> > work. And I've got
> >
> > self tcp IP-B:22 <- IP-A:56906 CLOSED:SYN_SENT
> > self tcp IP-B:22 <- IP-A:59496 CLOSED:SYN_SENT
> >
> > in my pfctl -s state
> >
> > and got deny for outgoing packet from IP-B to IP-A
>
> That is expected with pf. A state entry created for an incoming packet
> on one interface does not allow the same packet to go out through
> another interface, it merely allows further packets through the same
> interface and _replies_ back out through the same interface.
>
> If you do want to allow the packets to pass through another interface
> (as is usually the case with legitimate forwarded connections), you have
> to add
>
> pass out on $second-nic proto tcp from IP-A to IP-B port 22 keep state
>
> which will then create a _second_ state entry for the same connection.
Waouu....OK...that's increase a lot the number of rules...but well I've a
powerfull
server..that's not be a problem
What's the purpose of
set state-policy floating
? I think I don't have really understand the doc...
>
> The point of this is that you can control _which_ interface(s) a
> connection must flow through, instead of granting a permission to pass
> any and all interfaces.
>
> This may seem pointless to want to control in a simple setup which only
> forwards between two NICs, but it isn't in a more complex case with
> multiple NICs and routing tables dynamically updated and/or not trusted.
>
> > On my old FreeBSD I'm using something like
> >
> > ipfw add permit any to any established.
>
> The pf counterpart would be
>
> pass from any to any keep state
>
> i.e. leaving out the 'on $if' part makes the rule apply to all
> interfaces, and leaving out the 'out' or 'in' direction makes it apply
> to both directions.
Hummm I'm not sure....the term «established» is (IMHO) used by CISCO ACL,
and it's mean all IP packet is a response from inside.
For example if I want allow ssh connection from all-internet to my network I
can put
in on nic1 permit tcp from all-internet to ssh-host port ssh
and I just need
out on nic1 permit any to any established
to allow all returning tcp packet macth this rule. Of course on CISCO it's
first match policy.
And this working for all service :ssh, web etc.... (not ftp of course), but
only for TCP not UDP.
Lots of thanks
Bests regards.
--
Albert SHIH
Universite de Paris 7 (Denis DIDEROT)
U.F.R. de Mathematiques.
7 ième étage, plateau D, bureau 10
Heure local/Local time:
Wed Dec 13 21:57:10 CET 2006
