Re: passing to inside interface

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Lawrence Horvath

Subject: Re: passing to inside interface

Date: Tuesday, March 20, 2007 - 9:24 am

is there a way to tag the packets going to pflog, i can see the
packets being blocked with tcpdump on /var/log/pflog, but i would like
to know what rule is blocking them

i changed my rules a little bit here is the output of pfctl -s rules,
i was hoping that explictly defining some of these would help but same
result

block return in log on xl0 all
block drop in log on xl1 all
pass in on xl0 inet from any to 192.168.25.253 keep state
pass in on xl1 inet from 192.168.25.253 to any keep state
pass out on xl0 all
pass out on xl1 all
pass in on xl0 inet from any to 192.168.25.33
pass in on xl1 inet from 192.168.25.33 to any
pass in on xl0 inet from any to 192.168.25.69
pass in on xl1 inet from 192.168.25.69 to any
pass in on xl0 inet from any to 192.168.25.84
pass in on xl1 inet from 192.168.25.64 to any
pass in on xl0 inet from any to 192.168.25.100
pass in on xl1 inet from 192.168.25.100 to any
pass in on xl0 inet from any to 192.168.25.201
pass in on xl1 inet from 192.168.25.201 to any
pass in on xl0 inet from any to 192.168.25.252
pass in on xl1 inet from 192.168.25.252 to any

On 20/03/07, Stuart Henderson <stu@spacehopper.org> wrote:
quoted text> On 2007/03/20 06:18, Lawrence Horvath wrote:
> > On 20/03/07, Stuart Henderson <stu@spacehopper.org> wrote:
> > >On 2007/03/20 04:41, Lawrence Horvath wrote:
> > >> I have the below rule set in my pf.conf, i am having the following
> > >> problem, i need to be able to log into the firewall with ssh from
> > >> outside, and nothing should be able to hit the firewall from inside,
> > >> not even ping
> > >
> > >You don't "pass out" anything, either directly or via keep state.
> > >Also see the Notes section of bridge(4).
>
> ahh, I missed that you have a default "pass out" since your default
> blocks are only for inbound.
>
> tcpdump on various interfaces (including pflog0 with the relevant log
> keywords adding to pf.conf) will help you see how it works. Some things
> depend on which interface has the IP address.
>
> The advice in bridge(4) about passing/skipping traffic on one of the
> interfaces makes things easier to follow.
>
>


-- 
-Lawrence
-Student ID 1028219
-CCNA

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

passing to inside interface, Lawrence Horvath, (Tue Mar 20, 4:41 am)

Re: passing to inside interface, Stuart Henderson, (Tue Mar 20, 5:40 am)

Re: passing to inside interface, Lawrence Horvath, (Tue Mar 20, 6:18 am)

Re: passing to inside interface, Stuart Henderson, (Tue Mar 20, 7:56 am)

Re: passing to inside interface, Lawrence Horvath, (Tue Mar 20, 9:24 am)

Re: passing to inside interface, Stuart Henderson, (Tue Mar 20, 10:32 am)

Re: passing to inside interface, Lawrence Horvath, (Tue Mar 20, 2:05 pm)

Re: passing to inside interface, Darren Spruell, (Tue Mar 20, 3:49 pm)

Navigation

Popular discussions


linux-kernel:
Greg Kroah-Hartman	[PATCH 041/196] kobject: add kobject_init_and_add function
Lukas Hejtmanek	Re: Another libata error related to OCZ SSD
Greg Kroah-Hartman	[PATCH 023/196] MCP_UCB1200: Convert from class_device to device
Florian Fainelli	Re: System clock runs too fast after 2.6.27 -> 2.6.28.1 upgrade
Christoph Lameter	[patch 1/4] mmu_notifier: Core code
git:
Johannes Schindelin	Re: [PATCH 1/2] Add strbuf_initf()
John Bito	[EGIT] Push to GitHub caused corruption
Jakub Narebski	Re: [PATCH 0/2] gitweb: patch view
Junio C Hamano	Re: [PATCH] When a remote is added but not fetched, tell the user.
Andy Parkins	Re: [RFC] Submodules in GIT
git-commits-head:
Linux Kernel Mailing List	ahci: Workaround HW bug for SB600/700 SATA controller PMP support
Linux Kernel Mailing List	V4L/DVB (11086): au0828: rename macro for currently non-function VBI support
Linux Kernel Mailing List	ceph: client types
Linux Kernel Mailing List	ceph: on-wire types
Linux Kernel Mailing List	crypto: chainiv - Use kcrypto_wq instead of keventd_wq
linux-netdev:
Andrew Morton	Re: [Bugme-new] [Bug 14969] New: b44: WOL does not work in suspended state
Giuseppe CAVALLARO	Re: [PATCH 03/13] stmmac: add the new Header file for stmmac platform data
Taku Izumi	[PATCH 3/3] ixgbe: add registers etc. printout code just before resetting adapters
Eric Dumazet	rps: some comments
Thomas Gleixner	Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
openbsd-misc:
Stephan Andreas	problems with login after xlock in OpenBSD release 4.7
pmc	Make A Change. Alcoholism and Drug Addiction Treatment
ropers	Re: what exactly is enc0?
Fuad NAHDI	Re: What does your environment look like?
Matthew Szudzik	Typo on OpenBSD 4.4 CD Set

Colocation donated by:

Syndicate