Morgan Wesström wrote: > > - Your initial telnet SYN will create state on $inside through rule 3. > - There should be no state created on $dmz. > - Your SYN+ACK reply and further replies will be passed by pf's default > pass behaviour on $dmz.
OK, let's forget about TCP flags entirely. Let's consider a simple ICMP ping. 1. Here is the picture without the "block..." rule: root@inside:~ # ping dmz.test PING dmz.test (172.16.1.10): 56 data bytes 64 bytes from 172.16.1.10: icmp_seq=0 ttl=63 time=0.532 ms 64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=1.655 ms 64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=1.682 ms 64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=1.477 ms 64 bytes from 172.16.1.10: icmp_seq=4 ttl=63 time=1.626 ms root@fw:~ # pfctl -s rules ; echo ; pfctl -s state pass in on vtnet1 all flags S/SA keep state pass in on vtnet2 all flags S/SA keep state all icmp 172.16.1.10:1283 <- 192.168.10.3:1283 0:0 all icmp 192.168.10.3:1283 <- 172.16.1.10:1283 0:0 root@fw:~ # 2. Here is the picture with the "block..." rule uncommented: root@inside:~ # ping dmz.test PING dmz.test (172.16.1.10): 56 data bytes (no reply) root@fw:~ # pfctl -s rules ; echo ; pfctl -s state pass in on vtnet1 all flags S/SA keep state block drop in on vtnet1 inet from any to 192.168.0.0/16 pass in on vtnet2 all flags S/SA keep state all icmp 172.16.1.10:8707 <- 192.168.10.3:8707 0:0 root@fw:~ # -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/
signature.asc
Description: PGP signature