View Single Post
Old 14th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

This is an attempt to describe the problem. Please keep in mind that I am focusing only on the internal interface:

The client initiates a connection, for example a DNS request to a nameserver. The destination port is port 53, the default port for DNS/domain. The source port is one randomly chosen above port 1023, say port 40000. So we have

Code:
client:40000 --> nameserver:53
pf sees this request and creates a state for this connection . That way it will automatically pass out the answer (internal interface) to the client :
Code:
nameserver:53 --> client:40000
The problem is that upon seeing the answer packet from the name server, pf will first consult the state table. In this case if finds a state, and allows the packet in, without evaluating the rule set at all. And thus will/can not assign the reply packet to a queue.

The suggestion to use "match" instead of "pass" is an attempt to decouple the queuing from the state creation logic.

BTW both the pass and now the match rules are not correct. They don't match the reply packets
Code:
Match Out em1 udp 0 0 0 inet from any to any port = domain  queue i_dns
This matches the incoming request
Code:
23:43:06.134763 192.168.222.20.41004 > 192.168.222.10.53: 
58162+ A? www.daemonforums.org. (38)
The reply uses port 53 as source port:
Code:
23:43:06.135727 192.168.222.10.53 > 192.168.222.20.41004:
 58162 1/0/0 A 94.142.245.224 (54)
So to queue the reply, this particular rule should be changed from
Code:
inet from any to any port = domain  queue i_dns
to
Code:
inet from any port = domain to any queue i_dns
I cannot test it here at this moment, but I am afraid you will have to use "no state" on the rules for the internal interface.
And the match rules need to moved up, so they will be evaluated before the stateless pass rules.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote