From owner-freebsd-questions@FreeBSD.ORG Thu Nov 27 03:19:55 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F05FFB15 for ; Thu, 27 Nov 2014 03:19:55 +0000 (UTC) Received: from eastrmfepo203.cox.net (eastrmfepo203.cox.net [68.230.241.218]) by mx1.freebsd.org (Postfix) with ESMTP id 9BF38D81 for ; Thu, 27 Nov 2014 03:19:55 +0000 (UTC) Received: from eastrmimpo210 ([68.230.241.225]) by eastrmfepo203.cox.net (InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP id <20141127031949.RIBC27051.eastrmfepo203.cox.net@eastrmimpo210> for ; Wed, 26 Nov 2014 22:19:49 -0500 Received: from macbook.local.popelka.us ([72.205.45.227]) by eastrmimpo210 with cox id LTKo1p00A4u5WUQ01TKoc0; Wed, 26 Nov 2014 22:19:48 -0500 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020203.54769854.016F,ss=1,re=0.001,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=2.0 cv=aZC/a2Ut c=1 sm=1 a=KPoI11KysOGbLPnGgDkkuA==:17 a=9m6O-4QWAOYA:10 a=N659UExz7-8A:10 a=kviXuzpPAAAA:8 a=-5WMeQcgAAAA:8 a=j4nzMFrpAAAA:8 a=UYKJNZ1RH8OJNxyx9u0A:9 a=pILNOxqGKmIA:10 a=KPoI11KysOGbLPnGgDkkuA==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; auth=pass (PLAIN) smtp.auth=arickp@cox.net Message-ID: <54769854.5030403@cox.net> Date: Wed, 26 Nov 2014 22:19:48 -0500 From: Eric Popelka User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: My ipfilter rules are overreaching... References: <5476781D.2060904@cox.net> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2014 03:19:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Ahhh! Silly me a) didn't realize that he was reading the man page for ipf(8), not ipf(5) b) thought 'quick' meant "Quickly log this." Removing 'quick' from the last 'block in' clause, then adding 'quick' to my ISP subnet "pass in" gives me the behavior I want. I didn't move the lines around. Thanks! - -Eric On 11/26/14 9:57 PM, Jon Radel wrote: > On 11/26/14, 8:02 PM, Eric Popelka wrote: >> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ### >> >> # Allow in the whole subnet assigned to my cable modem # (hack, >> eventually want to just allow access to certain ports) pass in >> log first on xn0 from 72.205.44.0/23 to any >> >> # Keep out hax0rs block in log first quick on xn0 all >> >> > from man 5 ipf: > > First match vs last match To change the default behaviour from > being the last matched rule decides the outcome to being the > first matched rule, the word "quick" is inserted to the rule. > > > > Sooo...if I read your rule snippet correctly, you're asking ipf to > consider allowing traffic in from 72.205.44.0/23, pending finding > a later rule that overrides that pass, so it continues along until > it hits a block statement that not only applies but has a "quick" > to boot. I certainly wouldn't expect that pass rule to ever do > anything. > > What happens if you put a "quick" in the pass? Or move the block > to the very top of the file without the "quick"? > > --Jon Radel jon@radel.com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUdphUAAoJEBQPax3MeNrTH8AQAMfXuvIMWMrEqsZ0aDAF1m2g QSXs/wND7arvRs9E7XMQWrbplgA43humiEBX3VPRGY8oNPByQTVdpQM5rM3i5rNB kZj//kNgZ6+7z74AYzPWvHWXikDeWB3SCho9gv19qTo5xA3rU2EmGICmA8pE3cKP KgzsEd5GKgOR4p5Pt0iECzS0FUuZbn1jtY6WqhoW/K8r+sgV2m0PmmWz+8L7gVtU 5CjQ/vTpmFDSBhDHhv+5v5rXBQoT6nLGkk+RPRhejyp+3mYtHem5WrxVtySZCpic xX3OJP5x0qLAzbwemnYzXCU70HwZyJZ9RpW+IC0tyLoc8xDBF2gVvLVqFCdiXAgg klWuWyp08HM9ZhDsYQpZSNt9h9K6+bedYOKoI8t2ZQLChWui0HLgMcl1CTw1Nb99 R5u8rofWiFYYOhYm7PklXHd2OY7Rr3+4JwelfWZoemxlQnb12Z6LjbxRbwqXMBq6 dP0XlE+s+ZLFzLKKzTg1+7SW6IXTOKiConAD4UQ9NQgyU/UL+jDNCaWSGvkRy6QG ML6RoA1Y8Gq8N0cFuZUrsRhgWeFS7Xn+PwwgDkXqGCDODolYvOPZEFoOhkfQEpqU B+TwxW2t82jzbgG2onI1NBYmOCq/j+k2IA8aGJuPb3Q585zxQ+litb1qSwf6vCvv R3QFm9PenbAiRwu9HFNM =xXqZ -----END PGP SIGNATURE-----