David DeSimone wrote:
Tom Judge <[EMAIL PROTECTED]> wrote:
I have a question about the number of times a packet passes through pf
on a router.
The PF subsystem always examines every packet that passes in or out an
interface. For a forwarded packet that means it will be examined twice.
However, your question seems to be more in regards to whether the packet
gets matched against the rulebase. That is sort of a subtly different
question.
172.31.0.1/24:em0-[FreeBSD Router]-em1:172.31.1.1/24
Does a packet being routed from em0 to em1 pass through PF twice?
Would the following example work to only pass ssh connections from
172.31.0.0/24 into 172.31.1.0/41
pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep
state
block in log inet from any to any
block out log inet from any to any
Because of the "keep state" qualifier, PF will build a state entry,
which allows matching packets to be passed, without examining the
rulebase. So, PF does indeed examine every packet, once when it comes
in an interface, again when the packet goes out the opposite interface,
but because a state table entry matches the packet, it is allowed to
pass without examining the rulebase beyond the first packet.
So, packets are "passed through" PF, but the rulebase is "passed
through" only once for packets matching the rule.
Or do I have to have the following rules for it to work?
pass in quick on em0 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22 keep
state
pass out quick on em1 proto tcp from 172.31.0.0/24 to 172.31.1.0/24 port 22
keep state
If you were to leave out the "keep state" qualifier, you would need
rules matching the inbound and outbound packets. I think you would
find, if you go ahead and tried the above, that the second rule never
sees any matches, because the first rule handles them and builds state
which causes the second rule to never be used.
According to the diagram that Greg sent a link to
(http://homepage.mac.com/quension/pf/flow.png) state is checked for
every interface. However is the state information tied to an interface?
172.31.0.0/24>em0-[Router 1]-|-em1<->em1-|-[Router 2]-em0<172.31.1.0/24
|-em2<->em2-|
Assuming that the routes are managed a routing protocol such as ospf and
em1 is the normal primary link but when em1 is down em2 should restrict
certain traffic.
If the state is not tied to an interface then:
pass in quick on em0 tcp from 172.31.0.0/21 to 172.31.1.0/24 22 keep state
This rule would allow ssh traffic across both em1 and em2. I cant see
from the digram if state data is shared how one would block egress ssh
traffic on em2 as it would never hit a another rule as the state would
cause it to get passed straight away.
Where as if there are separate state 'tables' then a second rule for
egress traffic on em1 would be required and egress traffic on em2 would
get caught by the default block rule.
All these rules are assumed to be on Router 1.
I would have thought that the state tables would be independent for the
ingress and egress interfaces, could someone clarify this please?
Thanks
Tom
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
