Date: Fri, 10 Mar 2006 18:12:38 -0500 From: "Jacob, Raymond A Jr" <raymond.jacob@navy.mil> To: <freebsd-pf@freebsd.org> Subject: Two(2) questions regarding quick and adding rules later. Message-ID: <653C8E7D21FB654997909E77C691053F446ADB@NAEAWNYDEX21VA.nadsusea.nads.navy.mil>
next in thread | raw e-mail | index | archive | help
O/S FreeBsd 6.0
All traffic blocked unless I use quick.
tcpdump -n -e -ttt -r /var/log/pflog
showed traffic was blocked by the last rule unless I added quick to pass rules.
I thought the matching rules would have overiden the block rule?
One more question: bundle0 is composed of two(2) interfaces bonded together.
Is there away to bring up the firewall when all the physical interfaces are up
and then once for the bundle0 interface is up add :
public_if = "bundle0"
pass in quick on $public_if all
to the rules in memory?
I have the following working(obfiscated) pf.conf in my /usr/home/bigdaddy directory
=====pf.conf====
dns_servers = "{ X , Y , Z }"
mngmt_if= "myi0"
mngmt_net= "xx.yy.zz.0/24"
public_if = "bundle0"
ids = "A"
port3 = "4444"
allowed_ports = "{" "port1, port2," $port3 "}"
set loginterface $mngmt_if
pass in quick on $public_if all
pass in log-all quick on $mngmt_if proto tcp from $mngmt_net to $ids port $allowed_ports keep state
pass out log-all quick on $mngmt_if proto {tcp,udp} from $ids to $dns_servers port 53 keep state
pass in log-all quick on $mngmt_if proto icmp from $mngmt_net to $ids icmp-type 8 code 0 keep state
pass out log-all quick on $mngmt_if proto icmp from $ids to any icmp-type 8 code 0 keep state
pass out log-all quick on $mngmt_if proto { tcp, udp } all keep state
block in log-all on $mngmt_if all
block out log-all on $mngmt_if all
============
kldload shows pf.ko loaded
When I boot, my rc.conf file has
pf_enable="YES"
pf_flags="-d"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?653C8E7D21FB654997909E77C691053F446ADB>