Set state-policy if-bound or simulate if-bound with route-to rule



  • I can't contact (https, ssh) my pfsense over a wan interface which not hold the default gateway.

    The packets come in on em2 and leave on em1 with ip=em2.

    With set state-policy if-bound the problem should be gone. But it seems it makes problems with bridging.
    Could the route-to rule be with "flags S/S"? Make this sense?

    my config:

    
    em1=62.159.188.154
    em2=78.42.74.173
    
    pass out route-to (em1 62.159.188.153) inet from 62.159.188.154 to ! 62.159.188.152/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em2 78.42.72.1) inet from 78.42.74.173 to ! 78.42.72.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    
    

    tcpdump -n -i em2 | grep 95.90.154.95

    
    20:10:54.026626 IP 95.90.154.95.10683 > 78.42.74.173.443: Flags [s], seq 2222488228, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    20:10:54.027579 IP 95.90.154.95.41430 > 78.42.74.173.443: Flags [s], seq 1310538634, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
    
    tcpdump -n -i em1 | grep 95.90.154.95 | grep 443
    [code]
    20:13:39.238897 IP 78.42.74.173.443 > 95.90.154.95.6192: Flags [S.], seq 1141899119, ack 3308422046, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
    20:13:39.239704 IP 78.42.74.173.443 > 95.90.154.95.22159: Flags [S.], seq 1574710887, ack 1864152005, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
    [/code]
    [/s][/s]
    


  • if-bound states create all kinds of problems, don't set that.

    The reply-to on WAN rules will handle the reply traffic unless you're adding a rule that overrides the auto-added reply-to, or disabling the reply-to on those rules.



  • For your information there is no possible if-bound state in pfSense.
    It has been removed completely from pf in kernel as it will break all kind of things.



  • I don't have reply-to which could match.
    I haven't checked disable reply-to in gui.

    
    scrub on em1 all no-df random-id fragment reassemble
    scrub on em0 all no-df random-id fragment reassemble
    scrub on em2 all no-df random-id fragment reassemble
    scrub on pppoe0 all no-df random-id fragment reassemble
    scrub on em4 all no-df random-id fragment reassemble
    scrub on ovpnc2 all no-df random-id fragment reassemble
    scrub on ovpnc1 all no-df random-id fragment reassemble
    scrub on ovpns3 all no-df random-id fragment reassemble
    scrub on em3 all no-df random-id fragment reassemble
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    block drop in log quick inet6 all label "Block all IPv6"
    block drop out log quick inet6 all label "Block all IPv6"
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! em1 inet from 62.159.188.152/29 to any
    block drop in inet from 62.159.188.154 to any
    block drop in on em1 inet6 from fe80::203:2dff:fe1a:d0dc to any
    block drop in log quick on em1 inet from 10.0.0.0/8 to any label "Block private networks from 1_TCC block 10/8"
    block drop in log quick on em1 inet from 127.0.0.0/8 to any label "Block private networks from 1_TCC block 127/8"
    block drop in log quick on em1 inet from 100.64.0.0/10 to any label "Block private networks from 1_TCC block 100.64/10"
    block drop in log quick on em1 inet from 172.16.0.0/12 to any label "Block private networks from 1_TCC block 172.16/12"
    block drop in log quick on em1 inet from 192.168.0.0/16 to any label "Block private networks from 1_TCC block 192.168/16"
    block drop in log quick on em1 inet6 from fc00::/7 to any label "Block ULA networks from 1_TCC block fc00::/7"
    block drop in on ! em0 inet from 10.19.69.0/24 to any
    block drop in inet from 10.19.69.10 to any
    block drop in on ! em2 inet from 78.42.72.0/22 to any
    block drop in inet from 78.42.74.173 to any
    block drop in on em0 inet6 from fe80::203:2dff:fe1a:d0db to any
    block drop in on em2 inet6 from fe80::203:2dff:fe1a:d0dd to any
    pass in on em2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out 2_CABLE"
    pass out on em2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out 2_CABLE"
    block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from 3_TDSL block 10/8"
    block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from 3_TDSL block 127/8"
    block drop in log quick on pppoe0 inet from 100.64.0.0/10 to any label "Block private networks from 3_TDSL block 100.64/10"
    block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from 3_TDSL block 172.16/12"
    block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from 3_TDSL block 192.168/16"
    block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from 3_TDSL block fc00::/7"
    block drop in on ! ovpnc2 inet from 10.255.255.130 to any
    block drop in inet from 10.255.255.130 to any
    block drop in on ! ovpnc1 inet from 10.255.255.2 to any
    block drop in inet from 10.255.255.2 to any
    block drop in on ! ovpns3 inet from 10.255.255.193 to any
    block drop in inet from 10.255.255.193 to any
    block drop in on ! em4 inet from 192.168.178.0/24 to any
    block drop in inet from 192.168.178.100 to any
    block drop in on ovpnc2 inet6 from fe80::203:2dff:fe1a:d0db to any
    block drop in on ovpnc1 inet6 from fe80::203:2dff:fe1a:d0db to any
    block drop in on ovpns3 inet6 from fe80::203:2dff:fe1a:d0db to any
    block drop in on em4 inet6 from fe80::203:2dff:fe1a:d0df to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (em1 62.159.188.153) inet from 62.159.188.154 to ! 62.159.188.152/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em2 78.42.72.1) inet from 78.42.74.173 to ! 78.42.72.0/22 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc2 10.255.255.129) inet from 10.255.255.130 to ! 10.255.255.130 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc1 10.255.255.1) inet from 10.255.255.2 to ! 10.255.255.2 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpns3 10.255.255.194) inet from 10.255.255.193 to ! 10.255.255.193 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
    pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on em0 proto tcp from any to (em0) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/*" all
    pass in quick on Internet inet proto esp all keep state label "USER_RULE"
    pass in quick on Internet inet proto udp from any to any port = isakmp keep state label "USER_RULE"
    pass in quick on Internet inet proto udp from any to any port = sae-urn keep state label "USER_RULE"
    pass in quick on Internet inet proto icmp all icmp-type echoreq keep state label "USER_RULE"
    pass in quick on Internet inet proto tcp from any to any port = https flags S/SA keep state label "USER_RULE"
    pass in quick on Internet inet proto udp from any to any port 1193 >< 1197 keep state label "USER_RULE: OVPN Server"
    pass in quick on enc0 inet all flags S/SA keep state label "USER_RULE"
    pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE"
    pass in quick on em0 route-to (em1 62.159.188.153) inet from any to <dicomgateway>flags S/SA keep state label "USER_RULE"
    pass in quick on em0 route-to (em2 78.42.72.1) inet from any to ! <notinternet>flags S/SA keep state label "USER_RULE"
    pass in quick on em0 inet all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on ovpnc2 reply-to (ovpnc2 10.255.255.129) inet all flags S/SA keep state label "USER_RULE"
    pass in quick on ovpnc1 reply-to (ovpnc1 10.255.255.1) inet all flags S/SA keep state label "USER_RULE"
    anchor "tftp-proxy/*" all
    No queue in use</notinternet></dicomgateway></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    


  • One pitfall after the other.
    Rules on interface groups didn't make reply-to rules. Rules should iterate over the interfaces and make one rule after the other.
    That means interface groups are useless. I have to make every stupid rule manually and multiple.
    And every time I add a new WAN I have to do it again.



  • reply-to isn't added to interface groups by design. It wouldn't work right. They only work in circumstances where reply-to isn't necessary.


Log in to reply