pf: BAD state: TCP...

David Beck dbeck at beckground.hu
Wed Mar 29 09:59:25 PST 2006


Well actually, jail and pf bound together in my config, because the jail 
runs on an alias of lo0 and the incoming connection gets rdr-ed to the 
jail and the outgoing gets nat-ed from the jail.

There is one more thing that might be important: this is a 4-way SMP 
machine.

Yes, I paste my config here:

# 
----------------------------------------------------------------------------------------
# -- OPTIONS --
ext_if = "fxp1"
int_if = "lo0"
ext_ip = "OUTER_IP"
tcp_services = "22"
icmp_types = "echoreq"

ns2_jail    = "10.1.0.127"
proxy1_jail = "10.4.0.127"
all_jails   = "{ 10.1.0.127, 10.4.0.127 }"
table <denysmtpmisuse> persist file "/etc/spammers" file "/etc/openrelays"
table <sshattackers> persist file "/etc/sshattackers"
# 
----------------------------------------------------------------------------------------
# -- NORMALIZATION --
scrub in log on $ext_if

# 
----------------------------------------------------------------------------------------
# -- TRANSLATION --
nat on $ext_if from $all_jails to any -> $ext_ip
rdr on $ext_if proto { "tcp", "udp" } from ($ext_if) to $ext_ip port 53 
  -> $ns2_jail    port 53
rdr on $ext_if proto    tcp           from ($ext_if) to $ext_ip port 80 
  -> $proxy1_jail port 9999

# 
----------------------------------------------------------------------------------------
# --
antispoof for $ext_if

# --
block in log quick on $ext_if proto tcp from <denysmtpmisuse> to any port 25
block in log quick on $ext_if proto tcp from <sshattackers> to any port 22
# -- XXX
block all
block in on $ext_if
pass in on $int_if
pass out on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
        port 22 flags S/SA keep state
# --
pass out log on $ext_if inet proto tcp from ($ext_if) to any flags S/SA 
keep state
pass out on $ext_if inet proto udp from ($ext_if) to any keep state

# --
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
# --
pass in on $ext_if inet proto tcp from any to $ns2_jail    port 53 
flags S/SA keep state
pass in on $ext_if inet proto udp from any to $ns2_jail    port 53 
keep state
pass in on $ext_if inet proto tcp from any to $proxy1_jail port 9999 
flags S/SA keep state

Best regards, David.

joerg at xxxxxxxxxxxxxxxxx wrote:
On Wed, Mar 29, 2006 at 07:23:17PM +0200, David Beck wrote:

I have problem with pf and didn't find any information that would help. 
Could you please advise on this? I wanted a simple thing, create a jail, 
and put a squid server into that. It didn't work as expected.


Jails and PF don't affect each other at all. You should be able to
replicate this with any source bound program. Can you give us at least
your pf.conf?
Joerg





More information about the Kernel mailing list