[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf, nat and implicit state

To: Luis Cerdas <luis.cerdas@rawtenla.com>
Subject: Re: pf, nat and implicit state
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Fri, 15 Mar 2002 21:28:34 +0100
Cc: misc@openbsd.org
Content-Disposition: inline
References: <B8B7B0F9.1AB3%luis.cerdas@rawten.net>
User-Agent: Mutt/1.2.5.1i

On Fri, Mar 15, 2002 at 02:08:57PM -0600, Luis Cerdas wrote:

> TCP  a.b.c.d:110 -> 192.168.20.39:49742       FIN_WAIT_2:FIN_WAIT_2
> TCP  192.168.20.39:49742 -> x.x.x.x:54642 -> a.b.c.d:110
> FIN_WAIT_2:FIN_WAIT_2
> 
> where a.b.c.d is a public, routable address and x.x.x.x is the IP we
> masquerade as (using NAT).
> 
> The rules do block everything coming in on the external if, and explicitly
> keep state on all allowed outgoing packets.
> 
> Is it necessary to add the 'keep state' option on outgoing packets, or does
> adding keep state to rules in pf.conf make the box keep double entries for
> the same connections, as those shown above??

It seems you're unintentionally creating state on the internal interface
as well, and the direction (->) indicates that it wasn't the inital SYN
packet that created state, but a reply from the external host.

Check your 'keep state' rules. Does one apply to the internal interface?
With 'flags S/SA' you can restrict rules to match only the initial SYN
packet.

Using 'keep state' on the rule that passes NATed connections is fine,
that's not the reason you get two state entries.

There's nothing wrong with creating two states, either, if you're doing
it intentionally (when you want to filter on both interfaces).

Daniel

References:
- pf, nat and implicit state
  - From: Luis Cerdas <luis.cerdas@rawtenla.com>

Prev by Date: Re: insecurity messages
Next by Date: Re: Courier build problems
Prev by thread: pf, nat and implicit state
Next by thread: -Stable Scope Question
Index(es):
- Date
- Thread