My ipfilter rules are overreaching...
arickp at cox.net
Thu Nov 27 03:19:56 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Ahhh! Silly me
a) didn't realize that he was reading the man page for ipf(8), not ipf(5)
b) thought 'quick' meant "Quickly log this."
Removing 'quick' from the last 'block in' clause, then adding 'quick'
to my ISP subnet "pass in" gives me the behavior I want. I didn't move
the lines around. Thanks!
On 11/26/14 9:57 PM, Jon Radel wrote:
> On 11/26/14, 8:02 PM, Eric Popelka wrote:
>> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###
>> # Allow in the whole subnet assigned to my cable modem # (hack,
>> eventually want to just allow access to certain ports) pass in
>> log first on xn0 from 126.96.36.199/23 to any
>> # Keep out hax0rs block in log first quick on xn0 all
> from man 5 ipf:
> First match vs last match To change the default behaviour from
> being the last matched rule decides the outcome to being the
> first matched rule, the word "quick" is inserted to the rule.
> Sooo...if I read your rule snippet correctly, you're asking ipf to
> consider allowing traffic in from 188.8.131.52/23, pending finding
> a later rule that overrides that pass, so it continues along until
> it hits a block statement that not only applies but has a "quick"
> to boot. I certainly wouldn't expect that pass rule to ever do
> What happens if you put a "quick" in the pass? Or move the block
> to the very top of the file without the "quick"?
> --Jon Radel jon at radel.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - https://gpgtools.org
-----END PGP SIGNATURE-----
More information about the freebsd-questions