Date: Wed, 26 Nov 2014 21:57:23 -0500 From: Jon Radel <jon@radel.com> To: Eric Popelka <arickp@cox.net>, freebsd-questions@freebsd.org Subject: Re: My ipfilter rules are overreaching... Message-ID: <54769313.7020304@radel.com> In-Reply-To: <5476781D.2060904@cox.net> References: <5476781D.2060904@cox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 11/26/14, 8:02 PM, Eric Popelka wrote:
> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###
>
> # Allow in the whole subnet assigned to my cable modem
> # (hack, eventually want to just allow access to certain ports)
> pass in log first on xn0 from 72.205.44.0/23 to any
>
> # Keep out hax0rs
> block in log first quick on xn0 all
>
>
from man 5 ipf:
First match vs last match
To change the default behaviour from being the last
matched rule
decides the outcome to being the first matched rule, the word
"quick"
is inserted to the rule.
Sooo...if I read your rule snippet correctly, you're asking ipf to
consider allowing traffic in from 72.205.44.0/23, pending finding a
later rule that overrides that pass, so it continues along until it hits
a block statement that not only applies but has a "quick" to boot. I
certainly wouldn't expect that pass rule to ever do anything.
What happens if you put a "quick" in the pass? Or move the block to the
very top of the file without the "quick"?
--Jon Radel
jon@radel.com
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��
00mOj3""2zq0
*H
�01
0 UUS1
0 UUT10USalt Lake City1
0
U
The USERTRUST Network1!0 U
http://www.usertrust.com1604U-UTN-USERFirst-Client Authentication and Email0
110428000000Z
200530104838Z01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0"0
*H
��0
�[KW^/@ȣSX_fe2N2}UxLUB'qi2@'Vbqi c^`ʢAj HmeC*.+c8w߱ڂ2jgo \5Tq
7
PSl
Y1 LR@[HhJ$ :q_㬿;%qh=XF<hmz!W42~JRrd&N`ohQcB}"cөΞD\[5�K0G0 U
#0g}ĝ&p�KPH|=n}0
U
zN�t[xcd'/[y{0U
0U
0�0U
00U
�0XU
Q0O0MKIGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t+h0f0=+01http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%+0http://ocsp.usertrust.com0
*H
��־xWUm3DRB
JAIZҭsn>&|L0(B<%>
u=9fѡMo(l
tZڱuz/y
VtCr`9 G:eH<=%`I?C
3_н`j;:< I3B)93i.EMiڀ
=]|Gm]W0KID~y83:]&XaU!ՙC@B0Ұun00ʠQu5:FqxP0
*H
�01
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CA0
120327000000Z
150327235959Z01
0 UUS10
U221501
0 UVA10U
Springfield10U 6917 Ridgeway Dr.10U
Jon T. Radel1200U
)Issued through Jon T. Radel E-PKI Manager1 0
U
Corporate Secure Email10U Jon Radel1
0 *H
jon@radel.com0"0
*H
��0
�ˮ~! GNz^ts3B&z3"'^,WrF�6IUleMc
�t17ޔbWJvW:$
AlÕ
d(H U�ጋq?Ӫ
Oa0 dZ[LpS՛[
4u6xҚ[//�Vvߢns( `
V8-r9̼Ta6XY{7
'MI#Bʬ
D'I/K�00 U
#0zN�t[xcd'/[y{0
U
|
1̴Ww0U
0
U
0�0
U
%0++0FU
?0=0;
+10+0)+
https://secure.comodo.net/CPS0WU
P0N0LJHFhttp://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl0+|0z0R+0Fhttp://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt0$+0http://ocsp.comodoca.com0U
0
jon@radel.com0
*H
��$ X͌lnkGIms\~zt1cKE"͋;xܘG"fjo4 ºw*e`^VU
>ߤBµYZU@zH(۷F
k3TH_Ojb۟ߩhA3u/;MКwtPrAyʣ+,Xɕ8tA
"wjOyܬI$<vS8a`A\ XyQ10001
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAQu5:FqxP0 +�E0 *H
1
*H
0
*H
1
141127025723Z0# *H
1.`ƤSnH'ogYfw0l *H
1_0]0
`He*0
`He0
*H
0*H
�0
*H
@0+0
*H
(0 +71001
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAQu5:FqxP0
*H
101
0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1907U0COMODO Client Authentication and Secure Email CAQu5:FqxP0
*H
��1a{d
]WI(v']~.l*)fYmo .+XyM
zEY*cdnΕ8jr־pc<
~tcS q-CL&dϗomT:
tjGX
P*Z>j<X;_']nP@ra竼 tob#bYϡVw/AM
N._vTusN������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54769313.7020304>