On Wednesday 14 February 2007 1:29 pm, Stuart Henderson wrote:

quoted text
> On 2007/02/14 11:47, Tim Kuhlman wrote:

> > So what is happening? It seems to me that either pf is broken or his

> > linux kernel is broken and pf is catching it. Any ideas as to which is

> > the cause?

>

> Ruleset more likely. If you post it, people can make suggestions.

> Might be useful to capture a SYN with tcpdump and post any state entries

> relating to it, too (the relevant parts of pfctl -ss -v).

So my ruleset has some problems. I took some time to work through my rules and

re-read the state tracking section of the pf faq (which by the way is well

done, thanks). I found what I think are a couple of problems, I needed to

have the flags S/SA so that it paid attention to the syn packet and for some

reason I had the state policy globally set to if-bound rather than floating.

When I change both of those a new problem appears, routing between my

internal network and DMZ's doesn't work. 
The syn packet goes through and appears to create state but the Syn/Ack packet

isn't let back through. I thought that was it created state one way it was

supposed to allow it back the other. Surely I am missing something simple.
Here is the state as it appears with the new rules from a "pfctl -vvss", I

also attached a tcpdump capture from both interfaces on the router.
all tcp 10.10.10.150:49516 -> 10.11.0.5:80       ESTABLISHED:SYN_SENT

   [573330559 + 16385](+3517130307) wscale 2  [3039928992 + 5840](+146001125)

   wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts, 116:64 bytes, rule

   135 id: 45c74dc600234f51 creatorid: b3647a00
The router has 5 interfaces and 10 ip addresses associated with it so I will

spare you the full ruleset but here are the ones that are relevant. I copied

the rules as they are including the extra interfaces and such.

$DMZ_production_if is the 10.11.0.0/24 network

$int_if is the 10.10.8.0/21 network
table  const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }
pass in on { $int_if $vpn_if } proto {tcp udp icmp} from  to \

   { $DMZ_production_if:network, $DMZ_proto_if:network }
pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if

$DMZ_proto_if } proto \

   {tcp udp icmp} flags S/SA modulate state
Thanks again.

--

Tim Kuhlman

Network Administrator

ColoradoVnet.com
[demime 1.01d removed an attachment of type application/octet-stream which had a name of dmz_production_if-side]
[demime 1.01d removed an attachment of type application/octet-stream which had a name of int_if-side]