Morgan Wesström wrote:
> 
> - Your initial telnet SYN will create state on $inside through rule 3.
> - There should be no state created on $dmz.
> - Your SYN+ACK reply and further replies will be passed by pf's default 
> pass behaviour on $dmz.

OK, let's forget about TCP flags entirely. Let's consider a simple ICMP ping.

1. Here is the picture without the "block..." rule:

root@inside:~ # ping dmz.test
PING dmz.test (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=63 time=0.532 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=1.655 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=1.682 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=1.477 ms
64 bytes from 172.16.1.10: icmp_seq=4 ttl=63 time=1.626 ms

root@fw:~ # pfctl -s rules ; echo ; pfctl -s state
pass in on vtnet1 all flags S/SA keep state
pass in on vtnet2 all flags S/SA keep state

all icmp 172.16.1.10:1283 <- 192.168.10.3:1283       0:0
all icmp 192.168.10.3:1283 <- 172.16.1.10:1283       0:0
root@fw:~ #

2. Here is the picture with the "block..." rule uncommented:

root@inside:~ # ping dmz.test
PING dmz.test (172.16.1.10): 56 data bytes
(no reply)

root@fw:~ # pfctl -s rules ; echo ; pfctl -s state
pass in on vtnet1 all flags S/SA keep state
block drop in on vtnet1 inet from any to 192.168.0.0/16
pass in on vtnet2 all flags S/SA keep state

all icmp 172.16.1.10:8707 <- 192.168.10.3:8707       0:0
root@fw:~ #




-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

Attachment: signature.asc
Description: PGP signature

Reply via email to