View Single Post
Old 7th February 2010
Redrobes Redrobes is offline
Port Guard
 
Join Date: Feb 2010
Posts: 11
Default

I'm not using PPPoE.

Thanks for suggesting some rules. Its interesting to see what you have here.

You say I am not allowing any out on 53 but I thought I was allowing all stuff out of the ext interface. I need to serve DNS requests from the inside to external but I am not running a DNS server visible to the outside. I can do DNS to a DNS server like OpenDNS. Again with the ntp. I think I might want to use an ntp server but not be an ntp server. Because UDP is connectionless then maybe I need to open that for UDP ntp port.

With the tag OUT_ok you seem to be suggesting that theres some optimization in setting those packets with a tag and passing them quick with the tag set. I thought that with PF being a stateful filter that as soon as you have a connection made and its in the state block that PF would automatically use those rules for that connection until it was closed. Again not sure what happens with UDP tho. So is this what you had in mind ? Why do you think its better with the tag OUT_ok ?

So with this rfc thing. In post #4 you said that the only reason it could be happening on my system is that I must not have the keep state bit set for the first packet but we know that its applying the flags S/SA and keep state. So I cant figure this out. This window scaling seems to be saying that on the first SYN request it passes 3 bytes saying what kind of scaling we allow and the initiator seems to set the scaling. Then the server is supposed to ack that syn presumably setting what scaling it can accept and from then on your alright and use whatever you both agree on. So my guess is that by turning it off we say no we don't do scaling and the other side says fine by me and its alright. If we say yes we do scaling and they ack with yes so do we but thats from some kind of transparent proxy handling the Syn/Syn Ack and in reality a machine behind it does not then those packets are going to be forwarded to a machine that chokes on them for being the wrong size. Thats the best guess as to what I think is going on in this case. The forum message that your linking to in the other page seems more like the other way around where a new Vista machine says it can do scaling but the firewall cant if running old PF where you need to specify that the its the SYN packet which will drive the state. Presumably that has to be done on the internal interface tho. The PF advice is to do that on all interfaces so thats why its defaulted now. I still dont really get it tho. Just seems to me that with v4.6 it should have worked ok with the scaling extension switched on.

Another thing I am unsure about. You have pass in quick on $INT inet... but there does not seem to be any pass in $EXT except for the SSH. How does any traffic get to the web server ? Or how does non port 80/443 traffic get out ? Say mail or ftp etc ?

It looks to me like your general strategy is to pass selectively on the internal in interface and rely on the stateful / tag mechanism to hold the line open were as mine does it on the external in interface allowing all internal traffic out which opens up the state for the line. Is this a correct assessment ?
Reply With Quote