List Info

Thread: pf misfeature
pf misfeature
user name
 2007-11-08 13:08:52 
GIVEN APPROPRIATE DEFINITIONS FOR $ETH AND $LAN, YOU'D
EXPECT THE
FOLLOWING RULE TO SIMPLY PASS ALL TRAFFIC ORIGINATING FROM
AND DESTINED
FOR THE LAN:

  PASS ON $ETH FROM $LAN TO $LAN

HOWEVER, IN PF, "KEEP STATE" IS *IMPLICIT* (WHY?),
SO YOU'D EXPECT IT TO
TURN INTO SOMETHING LIKE THIS:

  PASS ON $ETH FROM $LAN TO $LAN KEEP STATE

BUT WHAT YOU ACTUALLY GET IS THIS:

  PASS ON $ETH FROM $LAN TO $LAN FLAGS S/SA KEEP STATE

WHICH ONLY MATCHES TCP HANDSHAKES, SO YOUR UDP STREAMS ARE
SCREWED.

WORKAROUND: EXPLICITLY SPECIFY TCP AND UDP, CAUSING PF TO
SPLIT THE RULE
INTO TWO:

  PASS ON $ETH INET PROTO { TCP, UDP } FROM $LAN TO $LAN

BECOMES

  PASS ON $ETH INET PROTO TCP FROM $LAN TO $LAN FLAGS S/SA
KEEP STATE
  PASS ON $ETH INET PROTO UDP FROM $LAN TO $LAN KEEP STATE

THERE DOES NOT SEEM TO BE ANY WAY TO TURN OFF THIS MISGUIDED
REWRITING
OF FIREWALL RULES.

DES
-- 
DAG-ERLING SMøRGRAV - DESDES.NO
_______________________________________________
FREEBSD-NETFREEBSD.ORG MAILING LIST
HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-NET
TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-NET-UNSUBSCRIBEFREEBSD.ORG"
Re: pf misfeature
country flaguser name
Germany		 2007-11-08 13:43:22 
ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV WROTE:
> GIVEN APPROPRIATE DEFINITIONS FOR $ETH AND $LAN, YOU'D
EXPECT THE
> FOLLOWING RULE TO SIMPLY PASS ALL TRAFFIC ORIGINATING
FROM AND DESTINED
> FOR THE LAN:
>
>   PASS ON $ETH FROM $LAN TO $LAN
>
> HOWEVER, IN PF, "KEEP STATE" IS *IMPLICIT*
(WHY?), SO YOU'D EXPECT IT
> TO TURN INTO SOMETHING LIKE THIS:
>
>   PASS ON $ETH FROM $LAN TO $LAN KEEP STATE
>
> BUT WHAT YOU ACTUALLY GET IS THIS:
>
>   PASS ON $ETH FROM $LAN TO $LAN FLAGS S/SA KEEP STATE
>
> WHICH ONLY MATCHES TCP HANDSHAKES, SO YOUR UDP STREAMS
ARE SCREWED.

I DON'T THINK THIS IS TRUE.  IT WILL MATCH ANY PROTOCOL, BUT
IF IT IS TCP 
IT WILL MAKE SURE IT'S THE INITIAL SYN.  THIS IS NECESSARY
IN ORDER TO 
HAVE THE STATE TRACKING WORK WITH WINDOW SCALING ETC.

IN MY QUICK TESTING, ICMP AND UDP BOTH MATCH THE EXPANDED
RULE.

> WORKAROUND: EXPLICITLY SPECIFY TCP AND UDP, CAUSING PF
TO SPLIT THE
> RULE INTO TWO:
>
>   PASS ON $ETH INET PROTO { TCP, UDP } FROM $LAN TO
$LAN
>
> BECOMES
>
>   PASS ON $ETH INET PROTO TCP FROM $LAN TO $LAN FLAGS
S/SA KEEP STATE
>   PASS ON $ETH INET PROTO UDP FROM $LAN TO $LAN KEEP
STATE
>
> THERE DOES NOT SEEM TO BE ANY WAY TO TURN OFF THIS
MISGUIDED REWRITING
> OF FIREWALL RULES.

-- 
/"  BEST REGARDS,                      | MLAIERFREEBSD.ORG
 /  MAX LAIER                          | ICQ #67774661
 X   HTTP://PF4FREEBSD.LOVE2PARTY.NET/  | MLAIEREFNET
/   ASCII RIBBON CAMPAIGN              | AGAINST HTML MAIL
AND NEWS
Re: pf misfeature
country flaguser name
Netherlands		 2007-11-08 13:50:13 
On Thu, Nov 08, 2007 at 08:08:52PM +0100, Dag-Erling
Sm??rgrav wrote:
> Given appropriate definitions for $eth and $lan, you'd
expect the
> following rule to simply pass all traffic originating
from and destined
> for the LAN:
> 
>   pass on $eth from $lan to $lan
> 
> However, in pf, "keep state" is *implicit*
(why?), so you'd expect it to
> turn into something like this:

I think this was turned on in the OpenBSD as of 4.0 i think.
Default
keep state. 

To negate this behavour in OpenBSD pf you can add no state 

:

pass on $eth from $lan to $lan no state 


I'me not sure if this also works on FreeBSD  

Regards

-- 
Microsoft: Where do you want to go today?
Linux: Where do you want to go tomorrow?
FreeBSD: Are you guys coming or what?
OpenBSD: Hey guys you left some holes out there!
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
Re: pf misfeature
user name
 2007-11-08 14:18:33 
MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV
WROTE:
>> BUT WHAT YOU ACTUALLY GET IS THIS:
>>
>>   PASS ON $ETH FROM $LAN TO $LAN FLAGS S/SA KEEP
STATE
>>
>> WHICH ONLY MATCHES TCP HANDSHAKES, SO YOUR UDP
STREAMS ARE SCREWED.
> I DON'T THINK THIS IS TRUE.

WITH "PASS ON $ETH FROM $LAN TO $LAN", NFS DOESN'T
WORK.  WITH "PASS ON
$ETH INET PROTO { TCP, UDP } FROM $LAN TO $LAN", IT
DOES.

DES
-- 
DAG-ERLING SMøRGRAV - DESDES.NO
_______________________________________________
FREEBSD-NETFREEBSD.ORG MAILING LIST
HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-NET
TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-NET-UNSUBSCRIBEFREEBSD.ORG"
Re: pf misfeature
country flaguser name
Germany		 2007-11-08 14:39:44 
ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV WROTE:
> MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> > ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV
WROTE:
> >> BUT WHAT YOU ACTUALLY GET IS THIS:
> >>
> >>   PASS ON $ETH FROM $LAN TO $LAN FLAGS S/SA
KEEP STATE
> >>
> >> WHICH ONLY MATCHES TCP HANDSHAKES, SO YOUR UDP
STREAMS ARE SCREWED.
> >
> > I DON'T THINK THIS IS TRUE.
>
> WITH "PASS ON $ETH FROM $LAN TO $LAN", NFS
DOESN'T WORK.  WITH "PASS ON
> $ETH INET PROTO { TCP, UDP } FROM $LAN TO $LAN",
IT DOES.

WORKS FOR ME.  I CAN NFS OVER UDP IN BOTH DIRECTIONS WITH
THE FOLLOWING 
RULES (EXPANDED):

BLOCK DROP LOG ALL
PASS LOG ON BGE0 FROM (BGE0:NETWORK) TO (BGE0:NETWORK) FLAGS
S/SA KEEP 
    STATE

-- 
/"  BEST REGARDS,                      | MLAIERFREEBSD.ORG
 /  MAX LAIER                          | ICQ #67774661
 X   HTTP://PF4FREEBSD.LOVE2PARTY.NET/  | MLAIEREFNET
/   ASCII RIBBON CAMPAIGN              | AGAINST HTML MAIL
AND NEWS
Re: pf misfeature
country flaguser name
Germany		 2007-11-08 15:59:35 
ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV WROTE:
> MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> > ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV
WROTE:
> >> BUT WHAT YOU ACTUALLY GET IS THIS:
> >>
> >>   PASS ON $ETH FROM $LAN TO $LAN FLAGS S/SA
KEEP STATE
> >>
> >> WHICH ONLY MATCHES TCP HANDSHAKES, SO YOUR UDP
STREAMS ARE SCREWED.
> >
> > I DON'T THINK THIS IS TRUE.
>
> WITH "PASS ON $ETH FROM $LAN TO $LAN", NFS
DOESN'T WORK.  WITH "PASS ON
> $ETH INET PROTO { TCP, UDP } FROM $LAN TO $LAN",
IT DOES.

THINKING ABOUT IT, THIS COULD BE A STRANGE INTERACTION WITH
SKIP STEPS.  
COULD YOU PROVIDE "PFCTL -GVSR" WITH EITHER
RULE(S)?  IN PRIVATE MAIL IF 
YOU PREFER.

-- 
/"  BEST REGARDS,                      | MLAIERFREEBSD.ORG
 /  MAX LAIER                          | ICQ #67774661
 X   HTTP://PF4FREEBSD.LOVE2PARTY.NET/  | MLAIEREFNET
/   ASCII RIBBON CAMPAIGN              | AGAINST HTML MAIL
AND NEWS
Re: pf misfeature
user name
 2007-11-08 16:34:14 
MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV
WROTE:
> > WITH "PASS ON $ETH FROM $LAN TO $LAN",
NFS DOESN'T WORK.  WITH "PASS ON
> > $ETH INET PROTO { TCP, UDP } FROM $LAN TO
$LAN", IT DOES.
> THINKING ABOUT IT, THIS COULD BE A STRANGE INTERACTION
WITH SKIP
> STEPS.  COULD YOU PROVIDE "PFCTL -GVSR" WITH
EITHER RULE(S)?  IN
> PRIVATE MAIL IF YOU PREFER.

WITH (NFS WORKS):

0
BLOCK RETURN QUICK INET6 ALL
  [ SKIP STEPS: I=3 D=3 P=2 SA=4 SP=END DA=3 DP=3 ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0      
    STATES: 0     ]
1
BLOCK RETURN LOG ALL
  [ SKIP STEPS: I=3 D=3 SA=4 SP=END DA=3 DP=3 ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0      
    STATES: 0     ]
2
PASS INET PROTO ICMP ALL ICMP-TYPE ECHOREQ KEEP STATE
  [ SKIP STEPS: F=END SA=4 SP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0      
    STATES: 0     ]
3
PASS IN ON SK0 INET PROTO TCP FROM ANY TO (SK0:1) PORT = SSH
FLAGS S/SA KEEP STATE
  [ SKIP STEPS: I=END F=END P=5 SP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0      
    STATES: 0     ]
4
PASS ON SK0 INET PROTO TCP FROM (SK0:NETWORK:1) TO
(SK0:NETWORK:1) FLAGS S/SA KEEP STATE
  [ SKIP STEPS: I=END D=6 F=END SA=6 SP=END DA=6 DP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 61        PACKETS: 1386      BYTES: 158934 
    STATES: 2     ]
5
PASS ON SK0 INET PROTO UDP FROM (SK0:NETWORK:1) TO
(SK0:NETWORK:1) KEEP STATE
  [ SKIP STEPS: I=END F=END SP=END DP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 143       PACKETS: 267       BYTES: 47931  
    STATES: 3     ]
6
PASS OUT ON SK0 INET PROTO TCP FROM (SK0:1) TO !
(SK0:NETWORK:1) FLAGS S/SA KEEP STATE
  [ SKIP STEPS: I=END D=END F=END SA=END SP=END DA=END
DP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0      
    STATES: 0     ]
7
PASS OUT ON SK0 INET PROTO UDP FROM (SK0:1) TO !
(SK0:NETWORK:1) KEEP STATE
  [ SKIP STEPS: I=END D=END F=END P=END SA=END SP=END DA=END
DP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 52        PACKETS: 0         BYTES: 0      
    STATES: 0     ]

WITHOUT (NFS DOESN'T WORK):

0
BLOCK RETURN QUICK INET6 ALL
  [ SKIP STEPS: I=3 D=3 P=2 SA=4 SP=END DA=3 DP=3 ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 18        PACKETS: 0         BYTES: 0      
    STATES: 0     ]
1
BLOCK RETURN LOG ALL
  [ SKIP STEPS: I=3 D=3 SA=4 SP=END DA=3 DP=3 ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 18        PACKETS: 4         BYTES: 5784   
    STATES: 0     ]
2
PASS INET PROTO ICMP ALL ICMP-TYPE ECHOREQ KEEP STATE
  [ SKIP STEPS: F=4 SA=4 SP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 18        PACKETS: 0         BYTES: 0      
    STATES: 0     ]
3
PASS IN ON SK0 INET PROTO TCP FROM ANY TO (SK0:1) PORT = SSH
FLAGS S/SA KEEP STATE
  [ SKIP STEPS: I=END SP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 18        PACKETS: 69        BYTES: 9760   
    STATES: 1     ]
4
PASS ON SK0 FROM (SK0:NETWORK:1) TO (SK0:NETWORK:1) FLAGS
S/SA KEEP STATE
  [ SKIP STEPS: I=END F=END P=END SP=END DP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 18        PACKETS: 30        BYTES: 3443   
    STATES: 13    ]
5
PASS OUT ON SK0 FROM (SK0:1) TO ! (SK0:NETWORK:1) FLAGS S/SA
KEEP STATE
  [ SKIP STEPS: I=END D=END F=END P=END SA=END SP=END DA=END
DP=END ]
  [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
  [ EVALUATIONS: 18        PACKETS: 0         BYTES: 0      
    STATES: 0     ]

DES
-- 
DAG-ERLING SMøRGRAV - DESDES.NO
_______________________________________________
FREEBSD-NETFREEBSD.ORG MAILING LIST
HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-NET
TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-NET-UNSUBSCRIBEFREEBSD.ORG"
Re: pf misfeature
country flaguser name
Germany		 2007-11-08 17:59:46 
ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV WROTE:
> MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> > ON THURSDAY 08 NOVEMBER 2007, DAG-ERLING SMøRGRAV
WROTE:
> > > WITH "PASS ON $ETH FROM $LAN TO
$LAN", NFS DOESN'T WORK.  WITH "PASS ON
> > > $ETH INET PROTO { TCP, UDP } FROM $LAN TO
$LAN", IT DOES.
> > THINKING ABOUT IT, THIS COULD BE A STRANGE
INTERACTION WITH SKIP
> > STEPS.  COULD YOU PROVIDE "PFCTL -GVSR"
WITH EITHER RULE(S)?  IN
> > PRIVATE MAIL IF YOU PREFER.
> 
> WITH (NFS WORKS):
> 
> 0 BLOCK RETURN QUICK INET6 ALL
>   [ SKIP STEPS: I=3 D=3 P=2 SA=4 SP=END DA=3 DP=3 ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 1 BLOCK RETURN LOG ALL
>   [ SKIP STEPS: I=3 D=3 SA=4 SP=END DA=3 DP=3 ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 2 PASS INET PROTO ICMP ALL ICMP-TYPE ECHOREQ KEEP
STATE
>   [ SKIP STEPS: F=END SA=4 SP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 3 PASS IN ON SK0 INET PROTO TCP FROM ANY TO (SK0:1)
PORT = SSH FLAGS S/SA KEEP STATE
>   [ SKIP STEPS: I=END F=END P=5 SP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 4 PASS ON SK0 INET PROTO TCP FROM (SK0:NETWORK:1) TO
(SK0:NETWORK:1) FLAGS S/SA KEEP STATE
>   [ SKIP STEPS: I=END D=6 F=END SA=6 SP=END DA=6 DP=END
]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 61        PACKETS: 1386      BYTES:
158934      STATES: 2     ]
> 5 PASS ON SK0 INET PROTO UDP FROM (SK0:NETWORK:1) TO
(SK0:NETWORK:1) KEEP STATE
>   [ SKIP STEPS: I=END F=END SP=END DP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 143       PACKETS: 267       BYTES:
47931       STATES: 3     ]
> 6 PASS OUT ON SK0 INET PROTO TCP FROM (SK0:1) TO !
(SK0:NETWORK:1) FLAGS S/SA KEEP STATE
>   [ SKIP STEPS: I=END D=END F=END SA=END SP=END DA=END
DP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 143       PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 7 PASS OUT ON SK0 INET PROTO UDP FROM (SK0:1) TO !
(SK0:NETWORK:1) KEEP STATE
>   [ SKIP STEPS: I=END D=END F=END P=END SA=END SP=END
DA=END DP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 52        PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 
> WITHOUT (NFS DOESN'T WORK):
> 
> 0 BLOCK RETURN QUICK INET6 ALL
>   [ SKIP STEPS: I=3 D=3 P=2 SA=4 SP=END DA=3 DP=3 ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 18        PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 1 BLOCK RETURN LOG ALL
>   [ SKIP STEPS: I=3 D=3 SA=4 SP=END DA=3 DP=3 ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 18        PACKETS: 4         BYTES:
5784        STATES: 0     ]
> 2 PASS INET PROTO ICMP ALL ICMP-TYPE ECHOREQ KEEP
STATE
>   [ SKIP STEPS: F=4 SA=4 SP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 18        PACKETS: 0         BYTES: 0 
         STATES: 0     ]
> 3 PASS IN ON SK0 INET PROTO TCP FROM ANY TO (SK0:1)
PORT = SSH FLAGS S/SA KEEP STATE
>   [ SKIP STEPS: I=END SP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 18        PACKETS: 69        BYTES:
9760        STATES: 1     ]
> 4 PASS ON SK0 FROM (SK0:NETWORK:1) TO (SK0:NETWORK:1)
FLAGS S/SA KEEP STATE
>   [ SKIP STEPS: I=END F=END P=END SP=END DP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 18        PACKETS: 30        BYTES:
3443        STATES: 13    ]
> 5 PASS OUT ON SK0 FROM (SK0:1) TO ! (SK0:NETWORK:1)
FLAGS S/SA KEEP STATE
>   [ SKIP STEPS: I=END D=END F=END P=END SA=END SP=END
DA=END DP=END ]
>   [ QUEUE: QNAME= QID=0 PQNAME= PQID=0 ]
>   [ EVALUATIONS: 18        PACKETS: 0         BYTES: 0 
         STATES: 0     ]

NO, I DON'T SEE WHY THESE TWO SHOULD BEHAVE DIFFERENTLY, BUT
YOU SHOULD
ADD A "SCRUB IN ON SK0" IN ANY CASE.

DANIEL, DO YOU SPOT ANYTHING STRANGE WITH THESE SKIP STEPS
(OR OTHERWISE)?

-- 
/"  BEST REGARDS,                      | MLAIERFREEBSD.ORG
 /  MAX LAIER                          | ICQ #67774661
 X   HTTP://PF4FREEBSD.LOVE2PARTY.NET/  | MLAIEREFNET
/   ASCII RIBBON CAMPAIGN              | AGAINST HTML MAIL
AND NEWS
Re: pf misfeature
user name
 2007-11-09 05:20:33 
MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> NO, I DON'T SEE WHY THESE TWO SHOULD BEHAVE
DIFFERENTLY, BUT YOU SHOULD
> ADD A "SCRUB IN ON SK0" IN ANY CASE.

SCRUB IS KNOWN AND DOCUMENTED TO INTERFERE WITH NFS.

DES
-- 
DAG-ERLING SMøRGRAV - DESDES.NO
_______________________________________________
FREEBSD-NETFREEBSD.ORG MAILING LIST
HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-NET
TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-NET-UNSUBSCRIBEFREEBSD.ORG"
Re: pf misfeature
country flaguser name
Germany		 2007-11-09 10:47:27 
ON FRIDAY 09 NOVEMBER 2007, DAG-ERLING SMøRGRAV WROTE:
> MAX LAIER <MAXLOVE2PARTY.NET> WRITES:
> > NO, I DON'T SEE WHY THESE TWO SHOULD BEHAVE
DIFFERENTLY, BUT YOU
> > SHOULD ADD A "SCRUB IN ON SK0" IN ANY
CASE.
>
> SCRUB IS KNOWN AND DOCUMENTED TO INTERFERE WITH NFS.

ONLY WITH BROKEN NFS CLIENTS AND EVEN THEN A COMBINATION OF
"NO-DF" 
AND "RANDOM-ID" PARAMETERS CAN BE USED TO MAKE
THEM WORK, TOO.  WITHOUT 
REASSEMBLY STATEFUL FILTERING IS IMPOSSIBLE (THOUGH THIS
STILL DOESN'T 
EXPLAIN WHY AN EXPLICIT "UDP KEEP STATE"-RULE
WOULD WORK).

-- 
/"  BEST REGARDS,                      | MLAIERFREEBSD.ORG
 /  MAX LAIER                          | ICQ #67774661
 X   HTTP://PF4FREEBSD.LOVE2PARTY.NET/  | MLAIEREFNET
/   ASCII RIBBON CAMPAIGN              | AGAINST HTML MAIL
AND NEWS
Re: pf misfeature
country flaguser name
Switzerland		 2007-11-12 09:33:18 
On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:

> Daniel, do you spot anything strange with these skip
steps (or otherwise)?

The problem is the lack of IP reassembly in this
configuration.

In pf_test_fragment(), a rule with r->flagset
("flags S/SA") is skipped.

Generally, stateful filtering _requires_ IP reassembly. As
long as no
fragmentation occurs, it works even without reassembly. I
suspect your
UDP NFS traffic is fragmented.

Try adding

  scrub in on $if all fragment reassemble

at the top.

Daniel
_______________________________________________
freebsd-netfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to
"freebsd-net-unsubscribefreebsd.org"
Re: pf misfeature
country flaguser name
Germany		 2007-11-12 21:00:50 

  


  

    On Monday 12 November 2007, Daniel Hartmeier wrote:
> On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> > Daniel, do you spot anything strange with these skip steps (or
> > otherwise)?
>
> The problem is the lack of IP reassembly in this configuration.
>
> In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is
> skipped.

Ah, I missed that one.  Wouldn't it make sense to conditionalize these 
tests on the protocol?  The attached can probably be optimized, but you 
get the general idea.

It seems wrong that an explicit udp-rule behaves differently than an 
implied one.

> Generally, stateful filtering _requires_ IP reassembly. As long as no
> fragmentation occurs, it works even without reassembly. I suspect your
> UDP NFS traffic is fragmented.
>
> Try adding
>

>   scrub in on $if all fragment reassemble
>
> at the top.


-- 
/"  Best regards,                      | mlaierfreebsd.org
 /  Max Laier                          | ICQ #67774661

 X   http://pf4freebsd.love2party.net/  | mlaierEFnet
/   ASCII Ribbon Campaign              | Against HTML Mail and News

  

  
  
   
     
    
 
        Approximate file size 1095 bytes
    

    
    






 [1-12]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )