Site Navigation

Date:      Fri, 8 Nov 2013 09:08:25 -0500
From:      Jason Hellenthal <jhellenthal@dataix.net>
To:        claudiu vasadi <claudiu.vasadi@gmail.com>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: FreeBSD 9.1-STABLE - pf rule being ignored
Message-ID:  <6BF6F30B-F937-4C59-819A-770489B90343@dataix.net>
In-Reply-To: <C55476A9-F352-4615-9DFB-8705D583DCC1@dataix.net>
References:  <CAM-i3ihX43UxmrM-ThOP=nK2qr=jMpzab-zB7o_x--C2eDWUKg@mail.gmail.com> <C55476A9-F352-4615-9DFB-8705D583DCC1@dataix.net>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Should say too  . . . don't forget to either skip on lo0 or pass on lo0

> On Nov 8, 2013, at 9:05, Jason Hellenthal <jhellenthal@dataix.net> wrote:
> 
> Curious if your line breaks are correct ? Your block and pass rule appear to be on the same line.
> 
> This should do it . . . 
> 
> block in all
> block return in quick from !$internal_ip to $external_ip
> pass out all keep state
> 
> 
> But if you already have a block all rul there is no need for the second as your already blocking all traffic so I might suggest this not mowing your topology.
> 
> I also would not suggest "return" for non internal traffic except for specific targeted services that it might affect.
> . . . 
> :BEGIN
> 
> spoof on lo0
> spoof on $ext_if
> 
> block all
> pass out quick from $me
> pass in quick from $int to $me
> 
> :END 
> 
> And that should accomplish what you are trying to do IIUC.
> 
> You can use pftop to verify packets on hit rules.
> 
>> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vasadi@gmail.com> wrote:
>> 
>> Hi all,
>> 
>> I have a 9.1-STABLE r251615 acting as a firewall.
>> 
>> The rules:
>> block in all pass out all keep state [...] block return from !$internal_ip
>> to $external_ip
>> 
>> 
>> 
>> What I want is to block all the network except $internal to from accessing
>> $external_ip. For some reason, the above rule simply does not work.
>> However, the below does work and block everyone except $internal_ip:
>> 
>> block return from $internal_net/24 to $external_ip pass from $internal_ip
>> to $external_ip
>> 
>> 
>> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it
>> should work like in the first example.
>> 
>> PS: Yes, I can see the rule with pfctl -sr and it does translate properly.
>> 
>> -- 
>> Best regards,
>> Claudiu Vasadi
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��90�00��
��0
	*�H��


0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
130518085048Z
140519220947Z0H10Ujhellenthal@dataix.net1%0#	*�H��

	
jhellenthal@dataix.net0�
"0
	*�H��



�
0�

�

�'`T�mfkܨJ5�u+c�'�U�p�b����`��zv�)&ȸX�Z*V��N�6�Jv�LoV�o�h�}�g�
p�QDŽKf/�tZ�A�˳(���"4Ԅ��˻�'�d2h|��IB�l�'���^v�^��;'��e8�S��9�9���ۿVm|k8_UQ��t�C�"5�l��!kjZ]އQGn����\��B�Ž�h�!FT�sD�%���pV^�E��ӑ
d¨x͸"�9
г"����
����f�

���0��0	U00U�0U%0+
+
0U�ڔ�fm��V�ʢ�$䟓�0U#0�Sr풜���
\|~�5N�ԸQ�0!U0�jhellenthal@dataix.net0�
LU �
C0�
?0�
;+

��7
0�
*0.+

"http://www.startssl.com/policy.pdf0��+
0��0' StartCom Certification Authority0

��This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+�)�'�%http://crl.startssl.com/crtu1-crl.crl0��+


��009+
0
�-http://ocsp.startssl.com/sub/class1/client/ca0B+
0�6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#U0�http://www.startssl.com/0
	*�H��


�

{0���Ӹ,52��W{��E�y�8�b�[���{��7��_�+��P�"��n�[���"-�,��@Žp��J��-W��$ݍ�jWA��-6���z��(	���RdIZ�.����Kz�X�є[�K6}{�s+v.�Q��h�0���P�ͅK��h�Tw0I�7�3l��z*�Kv��4Kkگ��6�3;�p1:ױ����@)����]o�k>:W�%Xw�C1þL�/�o8���~#�oP�0�40��

0
	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0�
"0
	*�H��



�
0�

�

�	���-��)�.����2����A�UG��o��#G�
�B|N�D�����Rp�M-��B��=o���-�we�5��J�Qpa>O��.�#������.���_�<���V��
[~�*��*�p�z��~�3�W�G�.ᘟ����Ml�r[�<C�e�6���f����q������O���"��u��xf�WN�#�u����i���c�gk��v$����Lb�%�������y��`�����_�{`���xK'G�N��

��
�0�
�0U

�0

�0U

�
0USr풜���
\|~�5N�ԸQ�0U#0�N��@[�i�0�4hC�A��0f+


Z0X0'+
0
�http://ocsp.startssl.com/ca0-+
0�!http://www.startssl.com/sfsca.crt0[UT0R0'�%�#�!http://www.startssl.com/sfsca.crl0'�%�#�!http://crl.startssl.com/sfsca.crl0��U y0w0u+

��7

0f0.+

"http://www.startssl.com/policy.pdf04+

(http://www.startssl.com/intermediate.pdf0
	*�H��


�

�}x�,\�c�^��#wM�q�}��>UK/��^y��X֏y	����f�rMIŲ�B6�1ymQ󸟆�ҨݬZ���0���&��;�@��#13qۑ��&	��̢����
��o�	6�r��_��;�GO>*I�(	7�4���XS1r3��)!�LJ�y��6Ko����tˆ#
_�w�S�r���
�;�B
A�Dp�(f��s�������䰷6%�����.W0J3�:b�C�<�8t X����1�<��C��n�=�����t==�wS���T������~���\�wkB�f�|1��5���zU��P)��(���I��j��VB��!����OfI=b
��b�\4�-*em��/нSJm�7���N�����[�]'��@ڽ��D9�Kr>���R��7/��|�o���^I@�ټ'��Pa$ z��9�a'L�)��(�
�I��}v��c�H]�۸�D����*�W�}
m�>Q����|�C.�(,�l��Q�0��0���


0
	*�H��


0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
060917194636Z
360917194636Z0}10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1)0'U StartCom Certification Authority0�"0
	*�H��



�0�
�
���	�lF|x��{�3��rb��6 "$^��w�C
�d�̎6�8�#�nm�<�r����=�3+�/���AYg��}
�t��yL�7z�9RY��FC�҅���q�ub4�,����4�ǖ�R=�3��M�;JK��&/��r5w�<]���&�6v\
�t%������x�-�0
-ry�F�*�����I�����
�
�cS�b�:̵f��kt�+�v>�m��D�sb;ľ�SV%lQ	���ʿv�m��ۿ=f�V���H�:KߧXP�8u�[�C����lMp[)e�ݪ]̯
1��ҍ��{�n�'fH�nB�?�!>{�
p�c��lT�\%zɢɋ��,~^MXn
�
�2�����n��6I�Hi�–M�i�
���y"H��{i�p��z7��
�vOW��������`�g:�����ԋr"�Ɵ���������ƶ�\R<��*s

�`�z/�ۣn�&0���݉W��=��+ŷv��+��*r��3�]	K߻�tRK

��R0�N0U0

�0U
�0UN��@[�i�0�4hC�A��0dU]0[0,�*�(�&http://cert.startcom.org/sfsca-crl.crl0+�)�'�%http://crl.startcom.org/sfsca-crl.crl0�
]U �
T0�
P0�
L+

��7


0�
;0/+

#http://cert.startcom.org/policy.pdf05+

)http://cert.startcom.org/intermediate.pdf0��+
0��0' Start Commercial (StartCom) Ltd.0

��Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://cert.startcom.org/policy.pdf0	`�H
��B

08	`�H
��B

+)StartCom Free SSL Certification Authority0
	*�H��


�
l��f4�Ѕ^}
��N8^ߦ%K�2��;�=�D	[I�)�f����%�	<���6�+K�h�9f=�&��9�Q��{~��Z��Wpi��^X�
ߌ�E8
^W�b�z�����)����n(�DÐ�8�<�CMdE��(�\�s{�諱�.\dns1:����}��Q�;���M�f{<�Ӛ��eP���u�/���C��i��y�C�Fr�d6��%8��w~�kj���DK�x����,KD�4R'�
]�����x�S2݀�fuٵh(�a.���8����gd�./�p�ǖ|�e��CT�ݥ�9�`�4ɖp,��H{�~k����";���*���R��KU�����"��4N&"��,uJ��}׸d�6��/��#	��;sI�jW����xřCc�M�w-�e�riG	�
V$��y�X.��	
~��m>��J9��+���u���	�U7��7�Cb ��VKe��l�$�$�4���"��}?�eQ
�0j���
�r��^1�o0�k

0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0	+��
�0	*�H��

	1	*�H��


0	*�H��

	1
131108140827Z0#	*�H��

	1pA|x"�����b������0��	+

�71��0��0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0��*�H��

	1�����0��10	UIL10U

StartCom Ltd.1+0)U"Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA��0
	*�H��



�
��?�������Sb�%*�M)�$�T��h3�����(�Y����m�k1�����e^��6���-�&�YI'���*9�b��$ۼ �k�i�xM��m���.:����L���x����c�aRBO
v� �tW�Ѵ��r�=>o?ן��5��qR��+������D�;�GD#$w�*��q���,�7��Om���u��� +~�֓�:Z*䨥�G�6���W�{����KA��	��K�ڨc��

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6BF6F30B-F937-4C59-819A-770489B90343>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact