freebsd udp pbr trouble

I have troubles with pf pbr udp:

pf rules:
pass in quick on $IF1 reply-to ($IF1 $GW1) proto {tcp udp} from <internet> to $ADDR1 port 1194
pass in quick on $IF2 reply-to ($IF2 $GW2) proto {tcp udp} from <internet> to $ADDR2 port 1194

default route:
#route get default
route to: default
destination: default
mask: default
gateway: localhost
interface: lo0
uname -a
#uname -a
FreeBSD myhost 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #4: Wed Nov 19 16:01:16 MSK 2008 root@myhost:/usr/src/sys/i386/compile/myhost i386

TCP on 1194 port work fine. But when i try connect to UDP port the packets back via lo0 interface (default route) and firewall rules not working.

UDP pbr work in pf freebsd? What could be a problem ?
 
I am guessing it has something to do with udp being stateless. Add another set of rules for udp:

pass out quick on $IF1 route-to ($IF1 $GW1) proto udp from $ADDR1 port 1194 to <internet>

Or you could try 'keep state' on your rules above.
 
aragon said:
I am guessing it has something to do with udp being stateless. Add another set of rules for udp:

pass out quick on $IF1 route-to ($IF1 $GW1) proto udp from $ADDR1 port 1194 to <internet>
Outbound UDP packet comes from default route address, i.e packet comes to external address 1.1.1.1 $IF1, but outgoes from interface lo0 & address 127.0.0.1 (my default route 127.0.0.1), with
TCP outbound=inbound address & no problem


Or you could try 'keep state' on your rules above.

In FreeBSD 7.0 pf all rules are keep state by default.

I tried to setup pbr on ipfw & have the same problem.

I think problem is in FreeBSD ip stack or is connected with specificity of UDP, but I don't understand what's problem & how to solve it.
 
menace said:
Outbound UDP packet comes from default route address, i.e packet comes to external address 1.1.1.1 $IF1, but outgoes from interface lo0 & address 127.0.0.1 (my default route 127.0.0.1), with
TCP outbound=inbound address & no problem
That makes sense, so add a rule on lo0 from address 127.0.0.1 that route-to's ($IF1 $GW1).

Although PF tracks UDP state, I don't think the OS's IP stack does or should. UDP is stateless so any UDP packets that an app generates isn't matched to any previously received packets by the IP stack, so FreeBSD just consults the routing table to figure out how to send outbound UDP packets and then sends it through the packet filter in a new context.

For TCP the IP stack probably associates its own connection states with PF states so that return traffic can be sent through the packet filter in the same context.

menace said:
I think problem is in FreeBSD ip stack or is connected with specificity of UDP, but I don't understand what's problem & how to solve it.
Not sure about this. It seems normal to me. I think FreeBSD's IP stack would have to track UDP statefully for things to work as you expected, and I'm pretty sure it does not.

What FreeBSD really needs is a policy based routing table. Doing routing in the packet filter is a bit of a hack. :)
 
aragon said:
That makes sense, so add a rule on lo0 from address 127.0.0.1 that route-to's ($IF1 $GW1).

It's not help me, because packets from $IF2 $GW2 sends via $IF1 $GW1 with route-to on lo0 :(
 
Back
Top