Date: Fri, 8 Nov 2013 16:12:08 +0100 From: claudiu vasadi <claudiu.vasadi@gmail.com> To: Jason Hellenthal <jhellenthal@dataix.net> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: FreeBSD 9.1-STABLE - pf rule being ignored Message-ID: <CAM-i3igAUv-GwX7M8EUWuZjCj2=enFCFtm6xuC%2BKqKvBo69bkA@mail.gmail.com> In-Reply-To: <6BF6F30B-F937-4C59-819A-770489B90343@dataix.net> References: <CAM-i3ihX43UxmrM-ThOP=nK2qr=jMpzab-zB7o_x--C2eDWUKg@mail.gmail.com> <C55476A9-F352-4615-9DFB-8705D583DCC1@dataix.net> <6BF6F30B-F937-4C59-819A-770489B90343@dataix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>> And that should accomplish what you are trying to do IIUC. I already accomplished what I wanted. I'm simply trying to understand why I had to go about it this way. lo0 already has a skip on it. On Fri, Nov 8, 2013 at 3:08 PM, Jason Hellenthal <jhellenthal@dataix.net>wrote: > Should say too . . . don't forget to either skip on lo0 or pass on lo0 > > > On Nov 8, 2013, at 9:05, Jason Hellenthal <jhellenthal@dataix.net> > wrote: > > > > Curious if your line breaks are correct ? Your block and pass rule > appear to be on the same line. > > > > This should do it . . . > > > > block in all > > block return in quick from !$internal_ip to $external_ip > > pass out all keep state > > > > > > But if you already have a block all rul there is no need for the second > as your already blocking all traffic so I might suggest this not mowing > your topology. > > > > I also would not suggest "return" for non internal traffic except for > specific targeted services that it might affect. > > . . . > > :BEGIN > > > > spoof on lo0 > > spoof on $ext_if > > > > block all > > pass out quick from $me > > pass in quick from $int to $me > > > > :END > > > > And that should accomplish what you are trying to do IIUC. > > > > You can use pftop to verify packets on hit rules. > > > >> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vasadi@gmail.com> > wrote: > >> > >> Hi all, > >> > >> I have a 9.1-STABLE r251615 acting as a firewall. > >> > >> The rules: > >> block in all pass out all keep state [...] block return from > !$internal_ip > >> to $external_ip > >> > >> > >> > >> What I want is to block all the network except $internal to from > accessing > >> $external_ip. For some reason, the above rule simply does not work. > >> However, the below does work and block everyone except $internal_ip: > >> > >> block return from $internal_net/24 to $external_ip pass from > $internal_ip > >> to $external_ip > >> > >> > >> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it > >> should work like in the first example. > >> > >> PS: Yes, I can see the rule with pfctl -sr and it does translate > properly. > >> > >> -- > >> Best regards, > >> Claudiu Vasadi > >> _______________________________________________ > >> freebsd-pf@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf > >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Best regards, Claudiu Vasadi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM-i3igAUv-GwX7M8EUWuZjCj2=enFCFtm6xuC%2BKqKvBo69bkA>