1 - PF with the 'no state' rule should let the traffic flow,
it means that PF has a bug, or
2 - PF behaves as expected and traffic must not flow, or
3 - the 'no state' rule is the wrong rule to let the traffic flow.
If so, I ignore what rule should be used in /etc/pf.conf.
Any thought is more than welcome
I configured pfsync0 on 192.168.3.0/24.
With this, ping works. As far as I understand, each echo request
generates a state in PF, and this state is shared from VTEP1 to VTEP2.
Anyway, ssh doesn't work. The tcp connection from 10.13.11.1 to VM2
is established. At this moment I see, with pfctl -s state, SYN entries for.
10.13.11.1 to VM2. But, after a while, ssh disconnects.
Disconnection happens when the SYN entries in PF state are deleted, after a certain timeout.
I see no ESTABLISHED:ESTABLISHED state in any moment, not in VTEP1 nor in VTEP2,
I think that this is the reason of disconnection.
For now, I've resolved setting no state on packets from 192.168.3.0/24 to 10.13.0.0/16, and viceversa,
and removing pfsync0 interfaces on both VTEPs. Ssh and ping works this way.
Anyway, I would like to explore a configuration with pfsync that would work with ping and at least ssh.
No comments:
Post a Comment