FreeBSD 9.1-STABLE - pf rule being ignored

claudiu vasadi claudiu.vasadi at gmail.com
Fri Nov 8 15:12:09 UTC 2013 

>> And that should accomplish what you are trying to do IIUC.

I already accomplished what I wanted. I'm simply trying to understand why I
had to go about it this way.

lo0 already has a skip on it.


On Fri, Nov 8, 2013 at 3:08 PM, Jason Hellenthal <jhellenthal at dataix.net>wrote:

> Should say too  . . . don't forget to either skip on lo0 or pass on lo0
>
> > On Nov 8, 2013, at 9:05, Jason Hellenthal <jhellenthal at dataix.net>
> wrote:
> >
> > Curious if your line breaks are correct ? Your block and pass rule
> appear to be on the same line.
> >
> > This should do it . . .
> >
> > block in all
> > block return in quick from !$internal_ip to $external_ip
> > pass out all keep state
> >
> >
> > But if you already have a block all rul there is no need for the second
> as your already blocking all traffic so I might suggest this not mowing
> your topology.
> >
> > I also would not suggest "return" for non internal traffic except for
> specific targeted services that it might affect.
> > . . .
> > :BEGIN
> >
> > spoof on lo0
> > spoof on $ext_if
> >
> > block all
> > pass out quick from $me
> > pass in quick from $int to $me
> >
> > :END
> >
> > And that should accomplish what you are trying to do IIUC.
> >
> > You can use pftop to verify packets on hit rules.
> >
> >> On Nov 8, 2013, at 8:41, claudiu vasadi <claudiu.vasadi at gmail.com>
> wrote:
> >>
> >> Hi all,
> >>
> >> I have a 9.1-STABLE r251615 acting as a firewall.
> >>
> >> The rules:
> >> block in all pass out all keep state [...] block return from
> !$internal_ip
> >> to $external_ip
> >>
> >>
> >>
> >> What I want is to block all the network except $internal to from
> accessing
> >> $external_ip. For some reason, the above rule simply does not work.
> >> However, the below does work and block everyone except $internal_ip:
> >>
> >> block return from $internal_net/24 to $external_ip pass from
> $internal_ip
> >> to $external_ip
> >>
> >>
> >> Why is this? I remember reading the docs for OpenBSD 4.5 and I guess it
> >> should work like in the first example.
> >>
> >> PS: Yes, I can see the rule with pfctl -sr and it does translate
> properly.
> >>
> >> --
> >> Best regards,
> >> Claudiu Vasadi
> >> _______________________________________________
> >> freebsd-pf at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>



-- 
Best regards,
Claudiu Vasadi

More information about the freebsd-pf mailing list