List Info

Thread: how to confirm i am gaining advantage from floating state-policy
how to confirm i am gaining advantage from floating state-policy
country flaguser name
Estonia		 2007-07-28 17:34:53 
Hallo!

I am in the middle of re-reading firewall's pf rules and
trying to set
them up more like OpenBSD's way but it seems that i cant
figure out on
my own the meaning of state-policy though i read serveral
times manual
and searched also list archive.

In a test environment i have following setup of three boxes,
OpenBSD in
the middle as router

10.0.99.2 <----> 10.0.99.1 (nfe0) PF 192.168.1.102
(rl0) <---->
192.168.1.254

First, lets start with if-bound state-policy, pf.conf goes
like this

set state-policy if-bound
block all
pass in quick on rl0
pass out quick on nfe0

i verified i can connect successfully from right to left ie

192.168.1.254# ssh root10.0.99.2

and at the same time appear two state entries which
existance i can
cofirm from pfctl -ss's output

rl0 tcp 10.0.99.2:22 <- 192.168.1.254:37848
ESTABLISHED:ESTABLISHED
nfe0 tcp 192.168.1.254:37848 -> 10.0.99.2:22
ESTABLISHED:ESTABLISHED

# pfctl -sa | grep -i "current entries" says
current entries 2

Secondly, leaving the set policy line out ie setting it
effectively on
floating i see these two states

all tcp 10.0.99.2:22 <- 192.168.1.254:22290
ESTABLISHED:ESTABLISHED
all tcp 192.168.1.254:22290 -> 10.0.99.2:22
ESTABLISHED:ESTABLISHED

pftop -a -b also shows on both cases two lines, similar to
this

tcp I 192.168.1.254:3203 10.0.99.2:22 4:4 1 86399 5 311
tcp O 192.168.1.254:3203 10.0.99.2:22 4:4 1 86399 5 311

and lastly i tried to leave last pass out line out using
floating
state-policy and cant connect any more.

Manual says about these two policies

    * if-bound - states are bound to the interface they're
created on.
      If traffic matches a state table entry but is not
crossing the
      interface recorded in that state entry, the match is
rejected. The
      packet must then match a filter rule or will be
dropped/rejected
      altogether.
    * floating - states can match packets on any interface.
As long as
      the packet matches a state entry and is passing in the
same
      direction as it was on the interface when the state
was created,
      it does not matter what interface it's crossing, it
will pass.

Obviously i must be using the floating state-policy feature
incorrectly
since in both cases i have the same number of rules and
states but from
the manual i have an impression that using floating policy
pf ruleset
gets simplified.

I would be most thankful if somebody could give me an
example in the
light (or should i say darkness) of my tests how using
different
state-policies makes difference in arranging rules and also
of having
the number of states.

And also, is it correct to think of states as associated
with specific
interface or to kernel in general?


Best regars,

Imre Oolberg
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )