Firewall Builder / Bug reports - current version / #273 OpenBSD PF, `force state` on block rules

#273 OpenBSD PF, `force state` on block rules

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2015-10-29

Created: 2015-10-29

Creator: MGR Admin

Private: No

OpenBSD 5.8
Firewall Builder 5.1.0.3599
OpenBSD binary package, mTier package updates www.mtier.org

The generated conf. file:

# Policy compiler errors and warnings:
# workstation:Policy:2: warning: Changing rule direction due to self reference
# workstation:Policy:3: warning: Changing rule direction due to self reference
# 
# Rule  0 (eth0)
# anti spoofing rule
block in   log  quick on eth0 inet  from self  to any keep state  label "RULE 0 -- DROP "  
# 
# Rule  1 (lo)
pass  quick on lo inet  from any  to any keep state  label "RULE 1 -- ACCEPT "  
# 
# Rule  2 (global)
# SSH Access to the host; useful ICMP
# types; ping request
# workstation:Policy:2: warning: Changing rule direction due to self reference

pass in   quick inet proto icmp  from any  to self icmp-type { 3 , 0 code 0 , 8 code 0 , 11 code 0 , 11 code 1  } keep state  label "RULE 2 -- ACCEPT "  
pass in   quick inet proto tcp  from any  to self port 22 keep state  label "RULE 2 -- ACCEPT "  
# 
# Rule  3 (global)
# workstation:Policy:3: warning: Changing rule direction due to self reference

pass out  quick inet  from self  to any keep state  label "RULE 3 -- ACCEPT "  
# 
# Rule  4 (global)
block  log  quick inet  from any  to any keep state  label "RULE 4 -- DROP "  
# 
# Rule  fallback rule
#    fallback rule 
block  quick inet  from any  to any  label "RULE 10000 -- DROP "

Errors from pfctl -f ./workstation.conf:

/home/devel/workstation.conf:10: keep state is great, but only for pass rules
/home/devel/workstation.conf:10: skipping rule due to errors
/home/devel/workstation.conf:10: keep state is great, but only for pass rules
/home/devel/workstation.conf:10: skipping rule due to errors
/home/devel/workstation.conf:10: rule expands to no valid combination
/home/devel/workstation.conf:29: keep state is great, but only for pass rules
/home/devel/workstation.conf:29: skipping rule due to errors
/home/devel/workstation.conf:29: rule expands to no valid combination
pfctl: Syntax error in config file: pf rules not loaded

The problem is the keep state option in block rules, e.g.:

block in   log  quick on eth0 inet  from self  to any keep state

Right clicking on options in Workstation / Policy, under the State Tracking tab in the resulting options dialogue there is a force keep state option for the rule. This appears to have no effect (checked on unchecked), and seems to default to activated, causing the error on attempting to load the rule set.

Discussion

MGR Admin - 2015-10-29

Quick correction to the post title:

OpenBSD PF, keep state on block rules

The rule set was generated from the host firewall template 1 preconfigured standard template.

.fwb file attached.

Last edit: MGR Admin 2015-10-29

workstation.fwb

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

OpenBSD PF, `force state` on block rules

Group

Searches

Help

#273 OpenBSD PF, `force state` on block rules

Discussion