Date: Thu, 16 Sep 2004 04:00:50 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: problem with 'user' Message-ID: <20040202022434.GA676@kt-is.co.kr> In-Reply-To: <200402011931.28647.max@love2party.net> References: <20040130123456.GA773@fried.sakeos.net> <20040131070219.GA72233@kt-is.co.kr> <20040131170657.GA5331@fried.sakeos.net> <200402011931.28647.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 01, 2004 at 07:31:28PM +0100, Max Laier wrote: > On Saturday 31 January 2004 18:06, jb wrote: > > thanks - patch applies cleanly against 2.02 (out of the port tree).=20 > > All things related for 'user' seem to work, but there's like an anom= aly >=20 > Great, thanks for your report - we will update the port soon. >=20 > > - 'pass all' for an user contaminates ICMP rules. > > > > rules like: > > pass in on lo0 all > > pass out on lo0 all > > block in log all > > block out log all > > > > lock the box (of course). Adding the following: > > pass out all user boludo keep state > > > > allows all users to ping outside. Also adding > > block out log proto icmp > > > > doesnt seem to change anything. >=20 > I wasn't able to reproduce this: >=20 Me too here. > While doing $ping 192.168.4.1 as user 1001 >=20 > >> pfctl -vvsr > @4 pass out all user =3D 1001 keep state > [ Evaluations: 14 Packets: 782 Bytes: 96317 States:= 1 ] > @5 block drop out log proto icmp all > [ Evaluations: 14 Packets: 5 Bytes: 420 States:= 0 ] > >> pftcpdump -s2000 -nvvvei pflog0 > pftcpdump: WARNING: pflog0: no IPv4 address assigned > pftcpdump: listening on pflog0 > 19:26:38.244893 rule 5/0(match): block out on rl0: 192.168.4.88 >=20 > 192.168.4.1: icmp: echo request (ttl 64, id 32357, len 84) >=20 > Can you check if there is a leftover state entry that matches? If you=20 > reload the ruleset the states are not necessarly flushed. Use $pfctl -= Fs=20 > before you load the new ruleset. Or check for matching states with > $pfctl -vss >=20 > Please let us know if that was the case and we can assume that the use= r=20 > stuff is working correctly now. Anyone else seeing this? >=20 As Max mentioned, please check stale-states. If you still have problems, please let us know. Thanks. Regards, Pyun YongHyeon --=20 Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040202022434.GA676>