Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Sep 2004 04:00:25 -0000
From:      Max Laier <max@love2party.net>
To:        pf4freebsd@freelists.org, jb <jb@riseup.net>
Subject:   [pf4freebsd] Re: problem with 'user'
Message-ID:  <200402011931.28647.max@love2party.net>
In-Reply-To: <20040131170657.GA5331@fried.sakeos.net>
References:  <20040130123456.GA773@fried.sakeos.net> <20040131070219.GA72233@kt-is.co.kr> <20040131170657.GA5331@fried.sakeos.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Saturday 31 January 2004 18:06, jb wrote:
> thanks - patch applies cleanly against 2.02 (out of the port tree).=20
> All things related for 'user' seem to work, but there's like an anomaly

Great, thanks for your report - we will update the port soon.

> - 'pass all' for an user contaminates ICMP rules.
>
> rules like:
>    pass in on lo0 all
>    pass out on lo0 all
>    block in log all
>    block out log all
>
> lock the box (of course).  Adding the following:
>    pass out all user boludo keep state
>
> allows all users to ping outside.  Also adding
>    block out log proto icmp
>
> doesnt seem to change anything.

I wasn't able to reproduce this:

While doing $ping 192.168.4.1 as user 1001

>> pfctl -vvsr
@4 pass out all user =3D 1001 keep state
[ Evaluations: 14        Packets: 782       Bytes: 96317       States: 1 =
]
@5 block drop out log proto icmp all
[ Evaluations: 14        Packets: 5         Bytes: 420         States: 0 =
]
>> pftcpdump -s2000 -nvvvei pflog0
pftcpdump: WARNING: pflog0: no IPv4 address assigned
pftcpdump: listening on pflog0
19:26:38.244893 rule 5/0(match): block out on rl0: 192.168.4.88 >=20
192.168.4.1: icmp: echo request (ttl 64, id 32357, len 84)

Can you check if there is a leftover state entry that matches? If you=20
reload the ruleset the states are not necessarly flushed. Use $pfctl -Fs=20
before you load the new ruleset. Or check for matching states with
$pfctl -vss

Please let us know if that was the case and we can assume that the user=20
stuff is working correctly now. Anyone else seeing this?

--=20
Best regards,				| max@love2party.net
Max Laier				| ICQ #67774661
http://pf4freebsd.love2party.net/	| mlaier@EFnet

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200402011931.28647.max>