netbsd-help: Need help with IPF

Subject: Need help with IPF
To: None <netbsd-help@netbsd.org>
From: Arto Huusko <arto.huusko@maailma.yok.utu.fi>
List: netbsd-help
Date: 03/05/2001 16:59:35
Hi,

I need a bit of help, or actually an explanation might be enough.
There is something I really don't understand in IPF. I'll include
here part of my ruleset and the idea.

The idea is that the firewall box lets nothing in from the interface
connected to the internet, except SSH. But it lets everything travel
through from the internal interface to external interface. So,
from behind the firewall anyone can access any service on the net,
but from the outside only SSH on the firewall is available.

I thought that it might be a good idea, if the from the inside
SSH would also be the only service available on the firewall. In
other words, let everything travel through, but if it stops here
it must be SSH.

I set up ipf.conf like this, not everything is here and the
addresses are not really real:

---

block in all
block out all
pass out quick on lo0
pass in quick on lo0
#
# Internal LAN configuration
# First, pass in everything
pass in on ne4 proto tcp all keep state
pass in on ne4 proto udp all keep state
pass in on ne4 proto icmp all keep state
# Then, block everything coming to this box from inside
block in on ne4 from any to 192.168.0.1
block in on ne4 from any to 10.0.0.2
# But allow SSH and ICMP destined to this box
# !MARK!
pass in quick on ne4 proto tcp from any to 192.168.0.1 port = 22 flags S keep state
#
# External interface
# Allow connection to SSH
pass in quick on ne3 proto tcp from any to 10.0.0.2 port = 22 flags S keep state
#
# And allow outbound otherwise to move freely everywhere
#
pass out proto tcp all keep state keep frags
pass out proto udp all keep state keep frags
pass out proto icmp all keep state

---

Now, the above set up doesn't work for some reason. With the above,
everything works from the external (ne3) interface as supposed.
I can connect to SSH port on 10.0.0.2 and to nothing else anywhere.
And traffic to the internet from the firewall and boxes behind it
works just fine. But I can't use SSH on the firewall from inside.
Note the line below "!MARK!". Clearly that should override
the two lines above (because of keep state). But it doesn't. Setting
up logging, I can see that yes: from inside the initial connection
to SSH (with S flag) is received and passed in. But every packet
following the SYN packet are blocked by the line:
 block in on ne4 from any to 192.168.0.1

What's going on? Is there something weird about the keep state
in this situation? Removing the "flags S" from the marked line,
the set up works as expected. But why the same rule applied
to the external interface works just fine?

-- 
Arto Huusko  --  WWW: http://maailma.yok.utu.fi/
                  ** Divecalc **
The Diving Software @ http://maailma.yok.utu.fi/Divecalc