Re: pf: BAD state: TCP...

[David Beck <dbeck@xxxxxxxxxxxxx>]

Well actually, jail and pf bound together in my config, because the jail 
runs on an alias of lo0 and the incoming connection gets rdr-ed to the 
jail and the outgoing gets nat-ed from the jail.

There is one more thing that might be important: this is a 4-way SMP 
machine.

Yes, I paste my config here:

# 
----------------------------------------------------------------------------------------
# -- OPTIONS --
ext_if = "fxp1"
int_if = "lo0"
ext_ip = "OUTER_IP"
tcp_services = "22"
icmp_types = "echoreq"

ns2_jail    = "10.1.0.127"
proxy1_jail = "10.4.0.127"
all_jails   = "{ 10.1.0.127, 10.4.0.127 }"

table <denysmtpmisuse> persist file "/etc/spammers" file "/etc/openrelays"
table <sshattackers> persist file "/etc/sshattackers"

# 
----------------------------------------------------------------------------------------
# -- NORMALIZATION --
scrub in log on $ext_if

# 
----------------------------------------------------------------------------------------
# -- TRANSLATION --
nat on $ext_if from $all_jails to any -> $ext_ip
rdr on $ext_if proto { "tcp", "udp" } from ($ext_if) to $ext_ip port 53 
  -> $ns2_jail    port 53
rdr on $ext_if proto    tcp           from ($ext_if) to $ext_ip port 80 
  -> $proxy1_jail port 9999

# 
----------------------------------------------------------------------------------------
# --
antispoof for $ext_if

# --
block in log quick on $ext_if proto tcp from <denysmtpmisuse> to any port 25
block in log quick on $ext_if proto tcp from <sshattackers> to any port 22

# -- XXX
block all
block in on $ext_if
pass in on $int_if
pass out on $int_if

pass in on $ext_if inet proto tcp from any to ($ext_if) \
        port 22 flags S/SA keep state

# --
pass out log on $ext_if inet proto tcp from ($ext_if) to any flags S/SA 
keep state
pass out on $ext_if inet proto udp from ($ext_if) to any keep state

# --
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# --
pass in on $ext_if inet proto tcp from any to $ns2_jail    port 53 
flags S/SA keep state
pass in on $ext_if inet proto udp from any to $ns2_jail    port 53 
keep state
pass in on $ext_if inet proto tcp from any to $proxy1_jail port 9999 
flags S/SA keep state

Best regards, David.

joerg@xxxxxxxxxxxxxxxxx wrote:
> On Wed, Mar 29, 2006 at 07:23:17PM +0200, David Beck wrote:
>
> > I have problem with pf and didn't find any information that would help. 
> > Could you please advise on this? I wanted a simple thing, create a jail, 
> > and put a squid server into that. It didn't work as expected.
>
>
> Jails and PF don't affect each other at all. You should be able to
> replicate this with any source bound program. Can you give us at least
> your pf.conf?
>
> Joerg