problem with keyword self
lev-bazanov at mail.ru
lev-bazanov at mail.ru
Fri Jun 30 07:06:11 UTC 2006
Hello, All.
There is a problem in pf, when I try to add rules with keyword
"self". Example:
My box have three physical and one loopback interfaces:
fxp0 - 10.0.0.1
fxp1 - 20.0.0.1
fxp3 - 30.0.0.1
lo0 - 127.0.0.1
Add rules in pf:
---- pf.conf ----
block drop in quick from any to self
pass in quick all
---- pf.conf ----
# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick inet from any to 10.0.0.1
block drop in quick inet from any to 20.0.0.1
block drop in quick inet from any to 30.0.0.1
block drop in quick inet from any to 127.0.0.1
pass in quick all
#
# ifconfig fxp0 50.0.0.1
# pfctl -q -s rules
block drop in quick inet from any to 10.0.0.1
block drop in quick inet from any to 20.0.0.1
block drop in quick inet from any to 30.0.0.1
block drop in quick inet from any to 127.0.0.1
pass in quick all
Result of this command: all incoming traffic on interface fxp0 will be passed.
This situation don't correct, because I want disable all traffic on
fxp0, even after changing IP address on fxp0.
Similar situation happens, when I try add rule in pf with table, which contains
interface's name or keyword "self". For example:
1. Table contains name of interface
----- pf.conf -----
table <test> { fxp0 }
block drop in quick from any to <test>
----- pf.conf -----
# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick from any to <test>
# pfctl -q -t test -T show
10.0.0.1
# ifconfig fxp0 50.0.0.1
# pfctl -q -t test -T show
10.0.0.1
2. Table contains keyword "self"
----- pf.conf ----
table <test> { self }
block drop in quick from any to <test>
----- pf.conf ----
# pfctl -f /etc/pf.conf
# pfctl -q -s rules
block drop in quick from any to <test>
# pfctl -q -t test -T show
10.0.0.1
20.0.0.1
30.0.0.1
127.0.0.1
# ifconfig fxp0 50.0.0.1
# pfctl -q -t test -T show
10.0.0.1
20.0.0.1
30.0.0.1
127.0.0.1
Is there some means in pf, which correctly resolve described situations?
For example, like "me" keyword in ipfw.
--
Best regards, Lev Bazanov mailto:lev-bazanov at mail.ru
More information about the freebsd-pf
mailing list