[pf4freebsd] Re: problem with 'user'
Pyun YongHyeon
yongari at kt-is.co.kr
Wed Sep 15 21:00:50 PDT 2004
On Sun, Feb 01, 2004 at 07:31:28PM +0100, Max Laier wrote:
> On Saturday 31 January 2004 18:06, jb wrote:
> > thanks - patch applies cleanly against 2.02 (out of the port tree).
> > All things related for 'user' seem to work, but there's like an anomaly
>
> Great, thanks for your report - we will update the port soon.
>
> > - 'pass all' for an user contaminates ICMP rules.
> >
> > rules like:
> > pass in on lo0 all
> > pass out on lo0 all
> > block in log all
> > block out log all
> >
> > lock the box (of course). Adding the following:
> > pass out all user boludo keep state
> >
> > allows all users to ping outside. Also adding
> > block out log proto icmp
> >
> > doesnt seem to change anything.
>
> I wasn't able to reproduce this:
>
Me too here.
> While doing $ping 192.168.4.1 as user 1001
>
> >> pfctl -vvsr
> @4 pass out all user = 1001 keep state
> [ Evaluations: 14 Packets: 782 Bytes: 96317 States: 1 ]
> @5 block drop out log proto icmp all
> [ Evaluations: 14 Packets: 5 Bytes: 420 States: 0 ]
> >> pftcpdump -s2000 -nvvvei pflog0
> pftcpdump: WARNING: pflog0: no IPv4 address assigned
> pftcpdump: listening on pflog0
> 19:26:38.244893 rule 5/0(match): block out on rl0: 192.168.4.88 >
> 192.168.4.1: icmp: echo request (ttl 64, id 32357, len 84)
>
> Can you check if there is a leftover state entry that matches? If you
> reload the ruleset the states are not necessarly flushed. Use $pfctl -Fs
> before you load the new ruleset. Or check for matching states with
> $pfctl -vss
>
> Please let us know if that was the case and we can assume that the user
> stuff is working correctly now. Anyone else seeing this?
>
As Max mentioned, please check stale-states.
If you still have problems, please let us know.
Thanks.
Regards,
Pyun YongHyeon
--
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
More information about the freebsd-pf
mailing list