On Tue, Nov 03, 2009 at 02:49:36PM +0100, Paul de Weerd wrote: > On Tue, Nov 03, 2009 at 03:32:29PM +0200, Alexander Shikoff wrote: > | Hello! > | > | I have strange behavior of pf on my 4.6 box. > | > | Filtering rules are present in pf.conf in next order: > | block in all > | pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh > | pass out quick on $ext_if > | pass in quick on $ext_if no state > | pass in quick on vlan609 from vlan609:network to any no > state > | pass out quick on vlan609 from any to vlan609:network no > state > | pass in quick on vlan621 from 10.51.109.16/29 to any no > state > | pass out quick on vlan621 from any to 10.51.109.16/29 no > state queue to_Akim > | pass in quick on vlan621 from 10.51.109.40/29 to any no > state > | pass out quick on vlan621 from any to 10.51.109.40/29 no > state queue to_Gonta > | pass in quick on vlan622 from vlan622:network to any no > state > | pass out quick on vlan622 from any to vlan622:network no > state > | pass in quick on vlan664 from vlan664:network to any no > state > | pass out quick on vlan664 from any to vlan664:network no > state > | pass in quick on vlan781 from vlan781:network to any no > state > | pass out quick on vlan781 from any to vlan781:network no > state > | pass in quick on vlan783 from vlan783:network to any no > state > | pass out quick on vlan783 from any to vlan783:network no > state > | > | > | > | But after they loaded pfctl -sr shows another order: > | block drop in all > | pass in quick on vlan2 proto tcp from any to (vlan2) port = ssh flags S/SA > keep state (if-bound) > | pass out quick on vlan2 all flags S/SA keep state (if-bound) > | pass in quick on vlan609 inet from 10.51.9.0/24 to any no state > | pass in quick on vlan621 inet from 10.51.109.16/29 to any no state > | pass in quick on vlan2 all no state > | pass out quick on vlan609 inet from any to 10.51.9.0/24 no state > | pass out quick on vlan621 inet from any to 10.51.109.16/29 no state queue > to_Akim > | pass in quick on vlan621 inet from 10.51.109.40/29 to any no state > | pass out quick on vlan621 inet from any to 10.51.109.40/29 no state queue > to_Gonta > | pass in quick on vlan622 inet from 10.51.109.0/28 to any no state > | pass in quick on vlan622 inet from 10.51.109.56/29 to any no state > | pass in quick on vlan781 inet from 10.53.31.0/25 to any no state > | pass in quick on vlan781 inet from 10.53.31.128/25 to any no state > | pass in quick on vlan664 inet from 10.52.14.0/24 to any no state > | pass in quick on vlan783 inet from 10.53.33.0/24 to any no state > | pass out quick on vlan622 inet from any to 10.51.109.0/28 no state > | pass out quick on vlan622 inet from any to 10.51.109.56/29 no state > | pass out quick on vlan781 inet from any to 10.53.31.0/25 no state > | pass out quick on vlan781 inet from any to 10.53.31.128/25 no state > | pass out quick on vlan664 inet from any to 10.52.14.0/24 no state > | pass out quick on vlan783 inet from any to 10.53.33.0/24 no state > | > | Does anyone know how to disable this? Thanks in advance! > > Why do you want to disable this ? And why are you using no state ? > What you're seeing is the result of the ruleset optimizer. See > pf.conf(5) for more details and how to disable this. My suggestion is > to *not* disable it though. What problem does the reordering give > you ? Maybe you want to look into antispoof and urpf too, while you're > at it. Oh, my fault. Thanks for the tip. > And, really, why are you using 'no state' ? Because I need queuing for outgoing traffic on vlan* interfaces. When keep state is used then queues for outgoing traffic do not work. > Paul 'WEiRD' de Weerd > > -- > >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/
-- MINO-RIPE
