[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

What point does keep state take effect?

I'm trying to put together a firewall for our DMZ and internal network.  For 
some reason, a server in the DMZ can only hit the external DNS server if it 
has keep state on the DMZ interface.   Basically the following (relvant 
extract) blocks access:

  ext_if           = "vr0"
  dmz_if           = "em0"
  dmz_tcp_services_out = "{ http, https, ftp, ntp, domain }"
  dmz_tcp_services_in  = "{ http, https, ssh }"
  dmz_udp_services_in  = "{ ntp }"
  dmz_udp_services_out = "{ domain }"
  webserv2_dmz_ad = "{ }"
  webserv2_ext_ad=  "..."
  tcp_opts = "modulate state" # gave up on synproxy state
  udp_opts = "keep state"
  icmp_opts = "keep state"
  nat_proto = "{ tcp, udp, icmp }"
  scrub all reassemble tcp
  scrub in all fragment reassemble
  scrub out all random-id
  nat on $ext_if proto $nat_proto \
    from $webserv2_dmz_ad -> $webserv2_ext_ad
  rdr on { $ext_if, $int_if } proto tcp \
    from any to $webserv2_ext_ad port www -> $webserv2_dmz_ad port www
  block in log (all) all
  block out log (all) all
  antispoof log quick for $antispoof_if
  pass out on $ext_if proto tcp \
    from any to any $tcp_opts
  pass out on $ext_if proto udp \
    from any to any $udp_opts
  pass out on $ext_if inet proto icmp \
    from any to any $icmp_opts
  pass in on $dmz_if proto tcp \
    from $dmz_ad to any port $dmz_tcp_services_out #$tcp_opts
  pass in on $dmz_if proto udp \
    from $dmz_ad to any port $dmz_udp_services_out #$udp_opts
  pass in on $dmz_if proto icmp \
    from $dmz_ad to any #$udp_opts

Call dig with this setup and it times out; uncomment the options 
(modulate/keep) state and you get a DNS result.  I was under the impression 
that the state should be created as the packets leave $ext_if, so why is it 
necessary to put a state option in the DMZ interface rules?

Hope someone can clear this up


"If you do it the stupid way, you will have to do it again"
  - Gregory Chudnovsky

Visit your host, monkey.org