My ipfilter rules are overreaching...
Eric Popelka
arickp at cox.net
Thu Nov 27 03:19:56 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Ahhh! Silly me
a) didn't realize that he was reading the man page for ipf(8), not ipf(5)
b) thought 'quick' meant "Quickly log this."
Removing 'quick' from the last 'block in' clause, then adding 'quick'
to my ISP subnet "pass in" gives me the behavior I want. I didn't move
the lines around. Thanks!
- -Eric
On 11/26/14 9:57 PM, Jon Radel wrote:
> On 11/26/14, 8:02 PM, Eric Popelka wrote:
>> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###
>>
>> # Allow in the whole subnet assigned to my cable modem # (hack,
>> eventually want to just allow access to certain ports) pass in
>> log first on xn0 from 72.205.44.0/23 to any
>>
>> # Keep out hax0rs block in log first quick on xn0 all
>>
>>
> from man 5 ipf:
>
> First match vs last match To change the default behaviour from
> being the last matched rule decides the outcome to being the
> first matched rule, the word "quick" is inserted to the rule.
>
>
>
> Sooo...if I read your rule snippet correctly, you're asking ipf to
> consider allowing traffic in from 72.205.44.0/23, pending finding
> a later rule that overrides that pass, so it continues along until
> it hits a block statement that not only applies but has a "quick"
> to boot. I certainly wouldn't expect that pass rule to ever do
> anything.
>
> What happens if you put a "quick" in the pass? Or move the block
> to the very top of the file without the "quick"?
>
> --Jon Radel jon at radel.com
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJUdphUAAoJEBQPax3MeNrTH8AQAMfXuvIMWMrEqsZ0aDAF1m2g
QSXs/wND7arvRs9E7XMQWrbplgA43humiEBX3VPRGY8oNPByQTVdpQM5rM3i5rNB
kZj//kNgZ6+7z74AYzPWvHWXikDeWB3SCho9gv19qTo5xA3rU2EmGICmA8pE3cKP
KgzsEd5GKgOR4p5Pt0iECzS0FUuZbn1jtY6WqhoW/K8r+sgV2m0PmmWz+8L7gVtU
5CjQ/vTpmFDSBhDHhv+5v5rXBQoT6nLGkk+RPRhejyp+3mYtHem5WrxVtySZCpic
xX3OJP5x0qLAzbwemnYzXCU70HwZyJZ9RpW+IC0tyLoc8xDBF2gVvLVqFCdiXAgg
klWuWyp08HM9ZhDsYQpZSNt9h9K6+bedYOKoI8t2ZQLChWui0HLgMcl1CTw1Nb99
R5u8rofWiFYYOhYm7PklXHd2OY7Rr3+4JwelfWZoemxlQnb12Z6LjbxRbwqXMBq6
dP0XlE+s+ZLFzLKKzTg1+7SW6IXTOKiConAD4UQ9NQgyU/UL+jDNCaWSGvkRy6QG
ML6RoA1Y8Gq8N0cFuZUrsRhgWeFS7Xn+PwwgDkXqGCDODolYvOPZEFoOhkfQEpqU
B+TwxW2t82jzbgG2onI1NBYmOCq/j+k2IA8aGJuPb3Q585zxQ+litb1qSwf6vCvv
R3QFm9PenbAiRwu9HFNM
=xXqZ
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list