Re: Trying to understand stateful npf

To: Stephen Borrill <netbsd%precedence.co.uk@localhost>, tech-net%NetBSD.org@localhost
Subject: Re: Trying to understand stateful npf
From: Hauke Fath <hf%spg.tu-darmstadt.de@localhost>
Date: Tue, 16 Oct 2018 15:57:30 +0200

On 10/12/18 17:10, Stephen Borrill wrote:

I'm trying to configure a ruleset to filter traffic bound for theoutside world and also allow an incoming port map. The ruleset can beseen below. I would expect that the "pass stateful out" on the internalinterface would have allowed the packets back in past the "block in all"from 10.10.0.2 when replying. However, it does not.


While ipfilter has (interface-)global state, npf and pf do not.

My pf setup has this comment


# (3) pf does not support global state
# Even with 'state-policy floating', pf does not set up global state.
# For every packet that you allow in on an interface and set state for,
# there needs to be a corresponding rule on the interface where the
# packet is supposed to leave the router. I.e. state is interface local.


and this general rule


# XXX Assume that we check all packets' destination on the incoming
# interfaces - this emulates ipfilter's global state.
pass out all flags S/SA keep state

I guess this could be translated to npf (especially in the light of itssevere rule-set size limitation).


HTH,
hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email	        Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344

References:
- Trying to understand stateful npf
  - From: Stephen Borrill

Prev by Date: Re: NPF ruleset limit in -7?
Next by Date: Concurrent trie-hash map
Previous by Thread: Re: Trying to understand stateful npf
Next by Thread: NPF ruleset limit in -7?
Indexes:

Home | Main Index | Thread Index | Old Index