On 2/15/07, Tim Kuhlman <[EMAIL PROTECTED]> wrote:
So my ruleset has some problems. I took some time to work through my rules and
re-read the state tracking section of the pf faq (which by the way is well
done, thanks). I found what I think are a couple of problems, I needed to
have the flags S/SA so that it paid attention to the syn packet and for some
reason I had the state policy globally set to if-bound rather than floating.
When I change both of those a new problem appears, routing between my
internal network and DMZ's doesn't work.
The syn packet goes through and appears to create state but the Syn/Ack packet
isn't let back through. I thought that was it created state one way it was
supposed to allow it back the other. Surely I am missing something simple.
Here is the state as it appears with the new rules from a "pfctl -vvss", I
also attached a tcpdump capture from both interfaces on the router.
Attachments are stripped by the listserv. Better to paste results in.
all tcp 10.10.10.150:49516 -> 10.11.0.5:80 ESTABLISHED:SYN_SENT
[573330559 + 16385](+3517130307) wscale 2 [3039928992 + 5840](+146001125)
wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts, 116:64 bytes, rule
135 id: 45c74dc600234f51 creatorid: b3647a00
The router has 5 interfaces and 10 ip addresses associated with it so I will
spare you the full ruleset but here are the ones that are relevant. I copied
the rules as they are including the extra interfaces and such.
$DMZ_production_if is the 10.11.0.0/24 network
$int_if is the 10.10.8.0/21 network
table <int_net> const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }
pass in on { $int_if $vpn_if } proto {tcp udp icmp} from <int_net> to \
{ $DMZ_production_if:network, $DMZ_proto_if:network }
pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
$DMZ_proto_if } proto \
{tcp udp icmp} flags S/SA modulate state
IMHO, it's confusing to cram as much logic as you are into this rule;
your traffic flows from one network to another follow distinct
directions and crossing of interfaces, yet you've got a bit of a
convoluted rule handling the 'pass out' for all of those flows on
different interfaces. For all I know, it might work fine, but just for
me it's confusing to piece it together and may be the cause of your
futz.
If you don't have traffic coming into your LAN from the DMZ, you could
simplify this by having simply a:
- pass in rule on your LAN interface allowing flows from the LAN into
the remote networks, with keep state and appropriate flags;
- pass out rule on your DMZ interface or whatever interfaces are
destinations from the LAN, with keep state and appropriate flags.
You need both; you need to have state built INBOUND on the INSIDE
interface so that return traffic out that interface passes statefully.
At the same time, you need state built OUTBOUND on the OUTSIDE
interface so that return traffic in that interface passes statefully.
Flavor as needed with similar, additional rules for connection flows
from the DMZ into the LAN or other networks, if any.
DS
