Recent changes to 273: OpenBSD PF, `force state` on block ruleshttps://sourceforge.net/p/fwbuilder/bug-reports-current-version/273/Recent changes to 273: OpenBSD PF, `force state` on block rulesenThu, 29 Oct 2015 18:39:32 -0000#273 OpenBSD PF, `force state` on block ruleshttps://sourceforge.net/p/fwbuilder/bug-reports-current-version/273/?limit=25#0f2d<div class="markdown_content"><p>Quick correction, the post title:<br/> </p> <blockquote> <p>OpenBSD PF, <code>keep state</code> on block rules </p> </blockquote></div>MGR AdminThu, 29 Oct 2015 18:39:32 -0000https://sourceforge.net232a6424f279f461b48d3a329387ea6ae09b6688OpenBSD PF, `force state` on block ruleshttps://sourceforge.net/p/fwbuilder/bug-reports-current-version/273/<div class="markdown_content"><p>OpenBSD 5.8<br/> Firewall Builder 5.1.0.3599<br/> OpenBSD binary package, mTier package updates www.mtier.org</p> <p>The generated conf. file:</p> <div class="codehilite"><pre># Policy compiler errors and warnings: # workstation:Policy:2: warning: Changing rule direction due to self reference # workstation:Policy:3: warning: Changing rule direction due to self reference # # Rule 0 (eth0) # anti spoofing rule block in log quick on eth0 inet from self to any keep state label "RULE 0 -- DROP " # # Rule 1 (lo) pass quick on lo inet from any to any keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) # SSH Access to the host; useful ICMP # types; ping request # workstation:Policy:2: warning: Changing rule direction due to self reference pass in quick inet proto icmp from any to self icmp-type { 3 , 0 code 0 , 8 code 0 , 11 code 0 , 11 code 1 } keep state label "RULE 2 -- ACCEPT " pass in quick inet proto tcp from any to self port 22 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) # workstation:Policy:3: warning: Changing rule direction due to self reference pass out quick inet from self to any keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) block log quick inet from any to any keep state label "RULE 4 -- DROP " # # Rule fallback rule # fallback rule block quick inet from any to any label "RULE 10000 -- DROP " </pre></div> <p>Errors from <code>pfctl -f ./workstation.conf</code>:</p> <div class="codehilite"><pre>/home/devel/workstation.conf:10: keep state is great, but only for pass rules /home/devel/workstation.conf:10: skipping rule due to errors /home/devel/workstation.conf:10: keep state is great, but only for pass rules /home/devel/workstation.conf:10: skipping rule due to errors /home/devel/workstation.conf:10: rule expands to no valid combination /home/devel/workstation.conf:29: keep state is great, but only for pass rules /home/devel/workstation.conf:29: skipping rule due to errors /home/devel/workstation.conf:29: rule expands to no valid combination pfctl: Syntax error in config file: pf rules not loaded </pre></div> <p>The problem is the <code>keep state</code> option in block rules, e.g.:</p> <div class="codehilite"><pre>block in log quick on eth0 inet from self to any keep state </pre></div> <p>Right clicking on <code>options</code> in <code>Workstation / Policy</code>, under the <code>State Tracking</code> tab in the resulting options dialogue there is a force <code>keep state</code> option for the rule. This appears to have no effect (checked on unchecked), and seems to default to activated, causing the error on attempting to load the rule set.</p></div>MGR AdminThu, 29 Oct 2015 18:30:58 -0000https://sourceforge.netdb31e5d318e5069357f86750d8e2dc9b6d9140a6