Re: Problem with state and PF on a 4.3 setup

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Stuart Henderson <stu@...>

To: <misc@...>

Subject: Re: Problem with state and PF on a 4.3 setup

Date: Thursday, May 8, 2008 - 8:18 am

On 2008-05-08, Otto Moerbeek <otto@drijf.net> wrote:
quoted text> On Thu, May 08, 2008 at 07:23:41AM -0400, Steve Johnson wrote:
>
>> Thanks for the information. This is the first time that I've used PF as a 
>> router based firewall and not with NAT. I didn't know that the state was on 
>> a per interface basis, and not global to the system. So this means that 
>> unless I want to allow all outbound traffic from my firewall, I need to 
>> have a matching pass out rule for all the pass in rules for which I want to 
>> restrict the inbound interface (ie for which I don't want to put just pass 
>> for)?
>
> No, states are by default global and not tied to an interface. See man
> pf.conf. 

But they are sensitive to direction; if you keep state for a new incoming
session on an interface, you:

1. *do* pass _return_ traffic associated with that connection,
2. *do not* pass the incoming traffic that created the state (or any
following incoming traffic from the same connection) out of another
interface to send to another machine

For 2. you can either pass the outbound traffic separately, or you
can tag the inbound traffic and pass outbound traffic that has been
tagged.

...
quoted text>> The reason I need quick, especially on a few of these rules, is that the
>> firewall will be establishing 3 to 6 thousand new sessions per second

You should read this set of articles:
http://undeadly.org/cgi?action=article&sid=20060927091645

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: Problem with state and PF on a 4.3 setup, Stuart Henderson, (Thu May 8, 8:18 am)

Re: Problem with state and PF on a 4.3 setup, Steve Johnson, (Thu May 8, 8:50 am)

Re: Problem with state and PF on a 4.3 setup, Henning Brauer, (Thu May 8, 9:21 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
jmerkey	[ANNOUNCE] mdb: Merkey's Linux Kernel Debugger 2.6.27-rc4 released
Christoph Lameter	[04/14] vcompound: Core piece
Andrew Morton	Re: 2.6.21-rc2-mm1
git:
Stephen R. van den Berg	Re: Git vs Monotone
Ken Pratt	pack operation is thrashing my server
Barry Fishman	Problems setting up bare repository (git 1.5.3.3)
Francis Moreau	What about git cp ?
openbsd-misc:
David Newman	setting dscp or tos bits
Peter	OpenBSD as Virtualbox guest
Iñigo	Re: Real men don't attack straw men
Richard Daemon	OpenBSD 4.3 running in VirtualBox? Anyone have it working properly?
linux-fsdevel:
Christoph Hellwig	Re: silent semantic changes with reiser4
Jens Axboe	[PATCH][RFC] fast file mapping for loop
Al Boldi	Re: [RFD] Incremental fsck
Eric Sandeen	Re: [RFC] Heads up on sys_fallocate()

Latest forum posts


trouble with my Asus Mainboard	5 hours ago	Linux kernel
windows folder creation surprise	8 hours ago	Windows
Random kernel panic with PPP in 2.6.16.26 kernel	8 hours ago	Linux kernel
sata/ide timeout errors on asus server-mb	12 hours ago	Linux kernel
Resetting the bios password for Toshiba Laptop	16 hours ago	Hardware
Testing for EXT3 filesystem corruption	1 day ago	Linux kernel
Easter Eggs in windows XP	1 day ago	Windows
The state of Linux audio	2 days ago	Linux kernel
reading and writing to configuration register of PCI device	2 days ago	Linux kernel
[HFSX] how to read HFSX partion label	2 days ago	Linux general

Show all forums...

Colocation donated by:

Online users

Syndicate