> > Today its a null op. So it voids the keyword which should be deprecated in
> > FreeBSD or should be reintroduced!
> > Also it may break people assumptions on it.
>
> So I take it that "set state-policy if-bound" will no longer have any
> effect either? Is this expected to hit 10.0-RELEASE?
>
> It's definitely not ok to break this functionality. SMP changes are
> far less valuable than being able to filter each packet on ingress and
> egress.
Except that it does work (Relevant config snippet):
FreeBSD firewall1.jnb1.gp-online.net 10.0-CURRENT FreeBSD 10.0-CURRENT #10
r242311: Mon Oct 29 16:31:29 SAST 2012
i...@firewall1.jnb1.gp-online.net:/usr/obj/usr/src/sys/FIREWALL amd64
--- /etc/pf.conf ---
...
# Options
# ~~~~~~~
set timeout { \
adaptive.start 900000, \
adaptive.end 1800000 \
}
set block-policy return
set state-policy if-bound
set optimization normal
set ruleset-optimization basic
set limit states 1500000
set limit frags 40000
set limit src-nodes 150000
...
# Servers
anchor vlan4 quick on vlan4
load anchor vlan4 from "/var/db/firewall/vlan4"
...
# L2TP tunnel termination
anchor vlan24 quick on vlan24
load anchor vlan24 from "/var/db/firewall/vlan24"
...
#EOF
--- /var/db/firewall/vlan4 ---
...
# Test
block out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh }
pass in all
#EOF
--- /var/db/firewall/vlan24 ---
pass in all
pass out all
#EOF
[41.154.88.19] ~/graphing $ telnet 41.154.0.151 22
Trying 41.154.0.151...
telnet: connect to address 41.154.0.151: Operation timed out
telnet: Unable to connect to remote host
[firewall1.jnb1] ~ # tcpdump -envi pflog0 host 41.154.88.19 and host
41.154.0.151
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 65535 bytes
09:31:41.323353 rule 3.vlan4.126/0(match): block out on vlan4: (tos 0x10, ttl
62, id 25475, offset 0, flags [DF], proto TCP (6), length 60)
41.154.88.19.26211 > 41.154.0.151.22: Flags [S], cksum 0x1264 (correct),
seq 3408095044, win 65535, options [mss 1410,nop,wscale 3,sackOK,TS val
3679262149 ecr 0], length 0
[firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.88.19 |grep 41.154.0.151
vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:26211 CLOSED:SYN_SENT
However, with the #Test rule commented out:
[41.154.88.19] ~/graphing $ telnet 41.154.0.151 22
Trying 41.154.0.151...
Connected to inbound01.jnb1.gp-online.net.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3p2 Debian-9etch2
[firewall1.jnb1] ~ # pfctl -s sta |grep 41.154.0.211 |grep 41.154.2.69
vlan24 tcp 41.154.0.151:22 <- 41.154.88.19:24898 ESTABLISHED:ESTABLISHED
vlan4 tcp 41.154.88.19:24898 -> 41.154.0.151:22 ESTABLISHED:ESTABLISHED
I think the only thing that's not working properly is
set block-policy return
but I'm not sure if that was working properly before. I had to
modify the rule as follows to get a connection refused:
block return out log proto tcp from 41.154.88.19 to 41.154.0.151 port { ssh }
to get:
[41.154.88.19] ~/graphing $ telnet 41.154.0.151 22
Trying 41.154.0.151...
telnet: connect to address 41.154.0.151: Connection refused
telnet: Unable to connect to remote host
Ermal, do you have a test case that exposes the issue?
Ian
--
Ian Freislich
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
