Morgan Wesström wrote: > >>> =================================== > >>> # DMZ 172.16.1.0/24 > >>> pass in on $dmz > >>> #block in on $dmz from any to 192.168.0.0/16 > >>> > >>> # Inside 192.168.10.0/24 > >>> pass in on $inside > >>> =================================== > >>> > >>> While the "block ..." line is commented out, I can "telnet 172.16.1.10 > >>> 80" from 192.168.10.3. > >> > >> Rule 1 does not match this packet > >> Rule 3 matches said packet, action is PASS > > The pass directive creates a state when only SYN is set out of SYN and > ACK as per the manual page. It does NOT create a state when both SYN and > ACK is set simultaneously as in your initial reply from the telnet > server.
Do you mean to say that a state checks not only address:port pairs, but also TCP flags? This is a new notion for me. What would be a "pass" rule to create a "catch all" state with no regard for TCP flags? > Afaik a pass rule only creates state on the interface it > monitors. I'm afraid this is an incorrect assumption. > I did not recreate your setup to check this though. But this > is what should happen: > > With rule 2 remarked: > > - Your initial telnet SYN will create state on $inside through rule 3. > - There should be no state created on $dmz. I'm afraid this is an incorrect assumption. According to man pf.conf, by default "state-policy=floating" and state is not bound to interfaces. The output of "pfctl -s state" does not indicate any interfaces either, just protocols, addresses and ports. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature