tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Trying to understand stateful npf



On 10/12/18 17:10, Stephen Borrill wrote:
I'm trying to configure a ruleset to filter traffic bound for the outside world and also allow an incoming port map. The ruleset can be seen below. I would expect that the "pass stateful out" on the internal interface would have allowed the packets back in past the "block in all" from 10.10.0.2 when replying. However, it does not.

While ipfilter has (interface-)global state, npf and pf do not.

My pf setup has this comment


# (3) pf does not support global state
# Even with 'state-policy floating', pf does not set up global state.
# For every packet that you allow in on an interface and set state for,
# there needs to be a corresponding rule on the interface where the
# packet is supposed to leave the router. I.e. state is interface local.


and this general rule


# XXX Assume that we check all packets' destination on the incoming
# interfaces - this emulates ipfilter's global state.
pass out all flags S/SA keep state


I guess this could be translated to npf (especially in the light of its severe rule-set size limitation).

HTH,
hauke

--
     The ASCII Ribbon Campaign                    Hauke Fath
()     No HTML/RTF in email	        Institut für Nachrichtentechnik
/\     No Word docs in email                     TU Darmstadt
     Respect for open standards              Ruf +49-6151-16-21344


Home | Main Index | Thread Index | Old Index