Re: pf on FreeBSD
On Wed, Dec 13, 2006 at 06:31:10PM +0100, Daniel Hartmeier wrote: pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state The point of this is that you can control _which_ interface(s) a connection must flow through, instead of granting a permission to pass any and all interfaces. Or, you can specify no interfaces, which is okay to do _if_: 1) Both interfaces have only directly attached networks (that are static) 2) antispoof is on for both interfaces Some guy's guide out there for pf fails to take this into account. If there's a static default route on an interface, you really can't omit that interface from any rules, because both conditions are false. -- A: No. Q: Should I include quotations after my reply? URL:http://www.subspacefield.org/~travis/ -- pgpoWglC5yYBe.pgp Description: PGP signature
Re: pf on FreeBSD
Le 13/12/2006 18:31:10+0100, Daniel Hartmeier a ?crit On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote: It's a problem with FreeBSD or it's with pf ? With neither, you're assuming a state entry has the same effect in pf as in ipfw, which is not the case. For example I've put this kind of rule pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state When I try to connect from IP-A to IP-B using ssh the connection don't work. And I've got self tcp IP-B:22 - IP-A:56906 CLOSED:SYN_SENT self tcp IP-B:22 - IP-A:59496 CLOSED:SYN_SENT in my pfctl -s state and got deny for outgoing packet from IP-B to IP-A That is expected with pf. A state entry created for an incoming packet on one interface does not allow the same packet to go out through another interface, it merely allows further packets through the same interface and _replies_ back out through the same interface. Thanks for all. Everything work fine now. Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 i?me ?tage, plateau D, bureau 10 Heure local/Local time: Fri Dec 15 22:00:53 CET 2006
Re: pf on FreeBSD
On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote: It's a problem with FreeBSD or it's with pf ? With neither, you're assuming a state entry has the same effect in pf as in ipfw, which is not the case. For example I've put this kind of rule pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state When I try to connect from IP-A to IP-B using ssh the connection don't work. And I've got self tcp IP-B:22 - IP-A:56906 CLOSED:SYN_SENT self tcp IP-B:22 - IP-A:59496 CLOSED:SYN_SENT in my pfctl -s state and got deny for outgoing packet from IP-B to IP-A That is expected with pf. A state entry created for an incoming packet on one interface does not allow the same packet to go out through another interface, it merely allows further packets through the same interface and _replies_ back out through the same interface. If you do want to allow the packets to pass through another interface (as is usually the case with legitimate forwarded connections), you have to add pass out on $second-nic proto tcp from IP-A to IP-B port 22 keep state which will then create a _second_ state entry for the same connection. The point of this is that you can control _which_ interface(s) a connection must flow through, instead of granting a permission to pass any and all interfaces. This may seem pointless to want to control in a simple setup which only forwards between two NICs, but it isn't in a more complex case with multiple NICs and routing tables dynamically updated and/or not trusted. On my old FreeBSD I'm using something like ipfw add permit any to any established. The pf counterpart would be pass from any to any keep state i.e. leaving out the 'on $if' part makes the rule apply to all interfaces, and leaving out the 'out' or 'in' direction makes it apply to both directions. Daniel
Re: pf on FreeBSD + WCCP + Squid
On Fri, Apr 01, 2005 at 02:37:00AM +0800, Francis Vidal wrote: rdr on em0 inet proto tcp from any to any port www - 127.0.0.1 port 3128 You probably need to use 'on gre0' here. On em0, the packets are still encapsulated, and don't match the 'proto tcp' criterion. pf does never looks inside encapsulated packets, it uses the outer-most interpretation of what it sees ('proto gre' in this case). But it will be called for each packet once on em0 and then (after the stack decapsulates the packet) on gre0. So to hit the right level of decapsulation, put the rule on the right interface, which should be gre0 here. Daniel