pf anchors attached to irrelevant states

Sun, 19 May 2024 04:17:22 -0700

This is a bit strange. pf works normal, but rules after an enchor an being attached to the anchor (somehow).
All states that are created from rules after the anchor, show the anchor (pf rule) number instead of (only) the rule number in pfctl -vv and in pflog. 

Here is a quite simple example.

# pfctl -sr -a'*' -vv | egrep -v "Evaluations|Inserted" | head -6
@0 match in all scrub (no-df random-id)
@1 pass in quick on vio0 from <admin:1> to any flags S/SA set (prio 6) keep 
state (if-bound, pflow) tag from_external
@2 anchor "test" quick all {
@0 pass out log quick on egress inet proto tcp from any to any port = 2000 
flags S/SA keep state (if-bound) rdr-to 127.0.0.1
}
@3 pass out log quick inet proto tcp from any to yy.yy.yy.yy port = 22 flags 
S/SA keep state (if-bound, pflow)

Test traffic for anchor rule works fine (xx.xx.xx.xx is my external ip)

# telnet 8.8.8.8 2000

pflog: May 19 13:54:03.427024 rule 2.test.0/(match) pass out on vio0: xx.xx.xx.36179 
> 8.8.8.8.2000: S 4080176752:4080176752(0) win 16384 <mss 
1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3209664444[|tcp]> (DF) [tos 0x10]

# pfctl -ss -vv | grep -A3 8.8.8.8
vio0 tcp xx.xx.xx.xx:36179 -> 127.0.0.1:2000 (8.8.8.8:2000)       
SYN_SENT:CLOSED
   [4080176752 + 2]  [0 + 1]
   age 00:00:01, expires in 00:01:59, 1:0 pkts, 64:0 bytes, anchor 2, rule 0 
<<<--- this rule 0 of anchor which is correct
   id: 661391580039aaa3 creatorid: bfd893f9


See what happens if I try to triger rule @3 and ssh to yy.yy.yy.yy

pflog: May 19 13:55:42.386186 rule 2/(match) pass out on vio0: xx.xx.xx.xx.23564 > 
yy.yy.yy.yy.22: S 3631867116:3631867116(0) win 16384 <mss 
1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 2800908401[|tcp]> (DF) [tos 0x48]

pfctl -ss -vv|grep -A3 yy.yy.yy.yy
vio0 tcp xx.xx.xx.xx:23564 -> yy.yy.yy.yy:22       ESTABLISHED:ESTABLISHED
   [3631869502 + 37760] wscale 6  [3744464382 + 16384] wscale 7
   age 00:01:10, expires in 23:58:54, 16:19 pkts, 3229:3857 bytes, anchor 2, 
rule 3, pflow
   id: 661391580039ab07 creatorid: bfd893f9

pflog, logs "rule 2" which is the anchor instead of "rule 3"

pfctl,  shows "anchor 2, rule 3" instead of just "rule 3"

Traffic works normally but there is something fishy here.

quick on anchor does not make any difference, although to my understanding it 
shouldn't matter either set or not set in this case.

G






















					Reply via email to