From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:50:22 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 06D5116A4CF; Thu, 16 Sep 2004 03:50:22 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 57412 invoked by uid 1005); 2 Sep 2003 18:55:05 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 57409 invoked from network); 2 Sep 2003 18:55:05 -0000 Received: from moutng.kundenserver.de (212.227.126.183) by pd953010a.dip.t-dialin.net with SMTP; 2 Sep 2003 18:55:05 -0000 Received: from [212.227.126.212] (helo=mxng16.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19uHC8-0002BU-00 for max@vampire.homelinux.org; Tue, 02 Sep 2003 21:52:04 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng16.kundenserver.de with esmtp (Exim 3.35 #1) id 19uHBz-0002Fq-00 for max@love2party.net; Tue, 02 Sep 2003 21:51:55 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id 07D9E390AF8; Tue, 2 Sep 2003 14:35:44 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Tue, 02 Sep 2003 14:35:39 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) ESMTP id 8C0C13908B8 for ; Tue, 2 Sep 2003 14:35:32 -0500 (EST) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.12.9/8.12.6) with ESMTP id h82JZQ0K026142 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Tue, 2 Sep 2003 21:35:26 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.12.9/8.12.6/Submit) id h82JZQr2018844 for pf4freebsd@freelists.org; Tue, 2 Sep 2003 21:35:26 +0200 (MEST) From: Daniel Hartmeier To: pf4freebsd@freelists.org Message-ID: <20030902193526.GD27851@insomnia.benzedrine.cx> References: <3F54A3F9.3010101@dequim.ist.utl.pt> <3F54A64B.6090404@dequim.ist.utl.pt> <00ce01c3715e$961a0ce0$01000001@max900> <3F54B31C.8070106@dequim.ist.utl.pt> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F54B31C.8070106@dequim.ist.utl.pt> User-Agent: Mutt/1.4.1i Content-Transfer-Encoding: 8bit X-archive-position: 144 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: daniel@benzedrine.cx Precedence: normal X-list: pf4freebsd X-UID: 259 X-Length: 3554 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:52 +0000 Subject: [pf4freebsd] Re: pfaltq-5.1.0.4 problem using fingerprinting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:50:22 -0000 X-Original-Date: Tue, 2 Sep 2003 21:35:26 +0200 X-List-Received-Date: Thu, 16 Sep 2004 03:50:22 -0000 On Tue, Sep 02, 2003 at 04:11:24PM +0100, Bruno Afonso wrote: > Although, I'm acessing through a "local" network, i'm always acessing > the external interface (public ip), so that's not the issue :-) Your assumption that connecting to the external address causes pf to filter on $ext_if is wrong. If you connect from the local network (to the external address), the packet will only pass through the internal interface. If pf lets it pass there, the stack of the pf box will detect that the destination is one of its own addresses, and pass it up to the listening socket. The packet never passes the external interface, and pf never gets to filter it on the external interface. Whether you use the internal or external address as destination just doesn't matter. This is a common misconception, I don't know where it comes from. Daniel