Hi,
I have a question in regards to binat behaviour on 4.7. I've tried with
either a match binat-to or a pass binat-to on the outside interface, and
it seems that whichever I use, with the proper pass rules for traffic,
the return packet from the server will be dropped unless I add another
explicit pass out rule on the inside interface. Here are the details of
the small lab (mail text continues after):
----------------------
- Outside network: 1.1.1.0/29
- Outside fw interface: em3
- Outside fw interface em3 IP: 1.1.1.2/29
- Outside fw interface carp5 IP: 1.1.1.4/29
- Inside interface: bnx0
- Inside net 10.10.10.0/24
- Inside host: 10.10.10.21
# cat /etc/pf.conf
block in log all
match log on em3 from 10.10.10.21/32 binat-to 1.1.1.4/32
pass in log on em3 inet proto tcp from any to 10.10.10.21/32 port 22
pass in log on bnx0 all
# pfctl -s rules
block drop in log all
match out log on em3 inet from 10.10.10.21 to any nat-to 1.1.1.4 static-port
match in log on em3 inet from any to 1.1.1.4 rdr-to 10.10.10.21
pass in log on em3 inet proto tcp from any to 10.10.10.21 port = ssh
flags S/SA keep state
pass in log on bnx0 all flags S/SA keep state
pflog:
19:43:11.223501 rule 3/(match) [uid 0, pid 27605] pass in on em3:
1.1.1.6.53461 > 1.1.1.4.22: S 1534876808:1534876808(0) win 5840 <mss
1460,sackOK,timestamp 3662674776[|tcp]> (DF) [tos 0x10] (ttl 64, id
42960, len 60)
19:43:11.223504 rule 2/(match) [uid 0, pid 27605] match in on em3:
1.1.1.6.53461 > 1.1.1.4.22: S 1534876808:1534876808(0) win 5840 <mss
1460,sackOK,timestamp 3662674776[|tcp]> (DF) [tos 0x10] (ttl 64, id
42960, len 60)
19:43:11.224893 rule 0/(match) [uid 0, pid 27605] block in on bnx0:
10.10.10.21.22 > 1.1.1.6.53461: S [tcp sum ok] 1703145349:1703145349(0)
ack 1534876809 win 4128 <mss 1460> (DF) [tos 0x10] (ttl 255, id 47483,
len 44)
19:43:13.228394 rule 0/(match) [uid 0, pid 27605] block in on bnx0:
10.10.10.21.22 > 1.1.1.6.53461: S [tcp sum ok] 1703145349:1703145349(0)
ack 1534876809 win 4128 <mss 1460> (DF) (ttl 255, id 47483, len 44)
19:43:14.223262 rule 0/(match) [uid 0, pid 27605] block in on bnx0:
10.10.10.21.22 > 1.1.1.6.53461: . [tcp sum ok] 0:0(0) ack 1 win 4128
(DF) (ttl 255, id 47484, len 40)
# pfctl -s state
all pfsync 224.0.0.240 <- 10.10.250.3 NO_TRAFFIC:SINGLE
all pfsync 10.10.250.2 -> 224.0.0.240 SINGLE:NO_TRAFFIC
all tcp 10.10.10.21:22 (1.1.1.4:22) <- 1.1.1.6:53461 CLOSED:SYN_SENT
----------------------
If I change the pf.conf to the following, everything works:
block in log all
match log on em3 from 10.10.10.21/32 binat-to 1.1.1.4/32
pass in log on em3 inet proto tcp from any to 10.10.10.21/32 port 22
pass out log on bnx0 inet proto tcp from any to 10.10.10.21/32 port 22
pass in log on bnx0 all
Is it normal that I need the pass out on bnx0 to create all proper state
entries, or should the first pass in rule have created them all? Is
there a key word to add to make it work properly on the first pass rule,
or am I missing something?
Thanks a lot!
Steve Johnson
