Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 30 Jun 2006 11:06:02 +0400
From:      lev-bazanov@mail.ru
To:        freebsd-pf <freebsd-pf@freebsd.org>
Subject:   problem with keyword self
Message-ID:  <1664838932.20060630110602@mail.ru>
next in thread | raw e-mail | index | archive | help 
Hello, All.

There is a problem in pf, when I try to add rules with keyword
"self". Example:

My box have three physical and one loopback interfaces:

fxp0 - 10.0.0.1
fxp1 - 20.0.0.1
fxp3 - 30.0.0.1
lo0  - 127.0.0.1

Add rules in pf:
---- pf.conf ----
block drop in quick from any to self
pass in quick all
---- pf.conf ----

# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick inet from any to 10.0.0.1
block drop in quick inet from any to 20.0.0.1
block drop in quick inet from any to 30.0.0.1
block drop in quick inet from any to 127.0.0.1
pass in quick all
#
# ifconfig fxp0 50.0.0.1
# pfctl -q -s rules
block drop in quick inet from any to 10.0.0.1
block drop in quick inet from any to 20.0.0.1
block drop in quick inet from any to 30.0.0.1
block drop in quick inet from any to 127.0.0.1
pass in quick all

Result of this command: all incoming traffic on interface fxp0 will be passed.
This situation don't correct, because I want disable all traffic on
fxp0, even after changing IP address on fxp0.

Similar situation happens, when I try add rule in pf with table, which contains 
interface's name or keyword "self". For example:
1. Table contains name of interface 
----- pf.conf -----
table <test> { fxp0 } 
block drop in quick from any to <test>
----- pf.conf -----

# pfctl -f /etc/pf.conf
# pfctl -q -s rules 
block drop in quick from any to <test>
# pfctl -q -t test -T show
  10.0.0.1
# ifconfig fxp0 50.0.0.1
# pfctl -q -t test -T show
  10.0.0.1

2. Table contains keyword "self"
----- pf.conf ----
table <test> { self }
block drop in quick from any to <test>
----- pf.conf ----

# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick from any to <test>
# pfctl -q -t test -T show
  10.0.0.1
  20.0.0.1
  30.0.0.1
  127.0.0.1
# ifconfig fxp0 50.0.0.1
# pfctl -q -t test -T show
  10.0.0.1
  20.0.0.1
  30.0.0.1
  127.0.0.1

Is there some means in pf, which correctly resolve described situations?
For example, like "me" keyword in ipfw. 

-- 
Best regards, Lev Bazanov                          mailto:lev-bazanov@mail.ru

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1664838932.20060630110602>