Project

General

Profile

Actions
Copy link

Bug #1635

closed

timeout setting on firewall rules does not work for UDP

Added by Adam Gundy almost 13 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Adam Gundy
Category:
Rules / NAT
Target version:
2.5.0
Start date:
07/02/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

the 'state timeout' firewall rule setting (under 'advanced options') has no effect on UDP connections. that's because it only applies the 'tcp.established' setting to the firewall rule. it should also apply 'udp.multiple'.

the code in question is /etc/inc/filter.inc, line 1959. instead of 'tcp.established NNN' is should add 'tcp.established NNN, udp.multiple NNN'

Actions
Copy link
 #1

Updated by Evgeny Yurchenko almost 13 years ago

Now if I configure this option through gui for different types of traffic I get this:
pass in quick on em0 inet from 1.1.1.1 to any flags S/SA keep state (tcp.established 10) label "USER_RULE"
pass in quick on em0 inet proto udp from 1.1.1.1 to any keep state (tcp.established 10) label "USER_RULE"
pass in quick on em0 inet proto tcp from 1.1.1.1 to any flags S/SA keep state (tcp.established 10) label "USER_RULE"

Are we sure that the next would be better (I am not sure about syntax):
pass in quick on em0 inet from 1.1.1.1 to any flags S/SA keep state (tcp.established 10, udp.multiple 10) label "USER_RULE"
pass in quick on em0 inet proto udp from 1.1.1.1 to any keep state (udp.multiple 10) label "USER_RULE"
pass in quick on em0 inet proto tcp from 1.1.1.1 to any flags S/SA keep state (tcp.established 10) label "USER_RULE"

Actions
Copy link
 #2

Updated by Adam Gundy almost 13 years ago

I'd assume that the 'udp' timeout is ignored for non-UDP traffic, in the same way as the 'tcp' timeout is ignored for non-TCP traffic, so it should be safe to simply apply both. no need to get clever in the rule writing code..

Actions
Copy link
 #3

Updated by Viktor Gurov over 3 years ago

  • Affected Version changed from 2.0 to 2.5.0
Actions
Copy link
 #4

Updated by Renato Botelho over 3 years ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov
  • Target version set to 2.5.0

PR has been merged. Thanks!

Actions
Copy link
 #5

Updated by Viktor Gurov over 3 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #6

Updated by Anonymous over 3 years ago

  • Assignee changed from Viktor Gurov to Adam Gundy
Actions
Copy link
 #7

Updated by Viktor Gurov over 3 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.0.a.20210113.0250 -
pfctl successfully loads rules with `udp.multiple` and `other.multiple` options,
timeout works fine, see https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+12.2-RELEASE+and+Ports&arch=default&format=html:


ICMP    and UDP    are handled in a fashion similar to TCP, but with a
       much    more limited set of states:

       udp.first
         The state after the first packet.
       udp.single
         The state if the source host sends more than one packet but
         the destination host has never    sent one back.
       udp.multiple
         The state if both hosts have sent packets.
       icmp.first
         The state after the first packet.
       icmp.error
         The state after an ICMP error came back in response to    an
         ICMP packet.

       Other protocols are handled similarly to UDP:

       other.first
       other.single
       other.multiple

Actions
Copy link

Also available in: Atom PDF