Using / notation in tables?

Daniel Hartmeier daniel at benzedrine.cx
Tue Nov 29 09:01:56 GMT 2005


On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote:

> Here is what I'm using for the tables:
> 
> block in quick on $ext_if proto { tcp, udp } from { <table1>, <table2> } \
>    to $ext_if:network port 25
> 
> I wonder if this should be written differently.

I don't see anything obviously wrong. If a packet is passing despite
this rule, there are two possibilities:

  a) evaluation doesn't reach this rule at all, because the packet
     matches an earlier quick rule

  b) evaluation does reach this rule, but the rule isn't matching,
     because

       1) the interface is not $ext_if
       2) the protocol is not tcp or udp (maybe some encapsulation or
          tunnel protocol?)
       2) the source address is not in either table (use pfctl -vTt to
          test)
       3) the destination address is not in $ext_if:network (use
          pfctl -sr to see what it expands to, might be surprising if
          $ext_if has multiple network aliases)

   c) pf is not enabled at all (pfctl -si | head -n 1)

   d) the packet is reaching the server through another path, not going
      through the pf box at all

If you can't spot it, provide the entire ruleset and a tcpdump showing
the packet passing on $ext_if.

Daniel


More information about the freebsd-pf mailing list