, NetBSD Users <netbsd-users@netbsd.org>
From: Jukka Marin <jmarin@pyy.jmp.fi>
List: netbsd-users
Date: 04/10/2001 09:36:02
On Tue, Apr 10, 2001 at 01:20:44AM -0400, David Maxwell wrote:
> On Mon, Apr 09, 2001 at 11:40:38PM +0300, Jukka Marin wrote:
> > A packet arrives at, say, ep0 and is passed by the ipf "in" rules of ep0.
> > The packet is destined to another network behind ep1, and is blocked by
> > the "out" rules of ep1. Unless I'm doing something stupid (like I often
> > am), it seems that when the packet is accepted in via ep0, it will auto-
> > magically be passed to ep1, even though the "out" rules would block it.
>
> I know a couple other people replied and blamed your use of 'quick', but
> that doesn't match my understanding of ipf. ipf hooks into the pfil
> hooks in NetBSD, and catches the packet when first in on the wire, and
> last before it goes out on the wire. I expect these to be two different
> times for the rules to be applied, and so I don't expect 'quick' to
> bypass the 'out' rules - they're run after the packet has passed through
> the stack. I've never seen where ipf would track a packet through the
> stack, so I don't expect it realizes that it's a packet that was passed
> with 'quick' in.
>
> Checking the code, ipf doesn't track what happened while processing the
> 'in' rules - once it hits a 'quick' rule, it passes the packet to the
> stack, and it's done (for now).
I must have a bug in my ipf.conf, then. I just can't find it. I'm just
learning how to ipf, but my ipf.conf files are growing large (almost 300
lines (including comments) already) because of the multiple subnets,
tunnels, interfaces etc. ;-)
It seems my "out" rules on ep3 have no effect at the moment. I use groups
for the network interfaces like this (this is the beginning of my ipf.conf):
block in all
block out all
pass in quick on lo0
pass out quick on lo0
block in log quick from any to 127.0.0.0/8
block in log quick all with short
block in log quick from any to any with ipopts
block in on ep2 all head 100
block out on ep2 all head 150
block in on gif0 all head 200
block out on gif0 all head 250
block in on ep0 all head 300
block out on ep0 all head 350
block in on ep3 all head 400
block out on ep3 all head 450
In every group, I have the rules that apply to only one interface and one
direction. Most of those rules have the "quick" keyword. What does it
do? Does it "return from a subroutine" to the line following the "head"
keyword that started the group processing? Well, if ipf is run separately
for incoming and outgoing packets, it shouldn't really matter here - it
should always do group 450 and group 450 only for packets going out on ep3.
Still, it seems that the rules in group 450 have no effect to outgoing
traffic on ep3.
I'm not using NAT.
I'm puzzled - I thought I was beginning to understand this stuff ;-)
BTW, when am I supposed to use "keep state"? I don't need it for incoming
rules (from Internet) if I pass in tcp port 22 (for ssh) AND if I pass all
tcp out to Internet? But I _do_ need it for the out rules if I pass all
tcp out, but not in (so the returned packets can get back)?
Thanks,
-jm