On 10/13/06, Joe Gibbens <[EMAIL PROTECTED]> wrote:
I'm guessing its because the default state policy is floating. Just
looking at the rules provided, the traffic should be able to pass
through.
Funny you should mention that because this is what I initially thought
(that at #2 traffic should pass). After reading up on state-policy and
the 'if-bound' option I thought I understood its purpose. But then I
realized that traffic would only flow out to the Host (and back) if I
added this rule:
pass out on vlan0 inet all flags S/SA keep state
I took a closer look at the states with 'pfctl -ss' and noticed that
not only was there a state for the incoming direction on vlan1 but
there was also a separate state for the outgoing direction on vlan0.
I went back to Google to try to find more info on the 'state-policy'
option. I found this
(http://marc.theaimsgroup.com/?l=openbsd-pf&m=107329527517168&w=2)
which kinda (I think) helped wrap my head around the whole concept.
Try either pulling the "keep state" option, or setting the
state policy to if-bound, and see what happens.
So if it should be working now, why isn't it? For a sanity check, try
opening the rules and pinging the host from the firewall.
The machine's at work, so I can't try right now, but I *believe* I
tried using if-bound at some point during the test earlier and I don't
remember that it changed anything (except when doing a 'pfctl -ss'
where you could see that the state was now bound not to 'all', but to
'vlan1'). Come to think of it, I remember adding that rule I mention
above in this e-mail with the policy-state set to 'if-bound' and I
could see the same two states that I saw when the state-policy was set
to 'floating'. In both cases two states were required to override the
master 'block all' directive to traverse from vlan1 to vlan0. The only
difference in the output of 'pfctl -ss' when looking at the states was
whether they were bound to "all" or "vlan0" or "vlan1".
Man, I need "The Utterly Dumbass' Guide to pf" (with pretty pictures)
'cause my brain doesn't seem to be equipped to understand this concept
clearly. :-)
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
