Re: PF Config problem

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Gordon Ross <G.Ross@...>

To: <misc@...>

Subject: Re: PF Config problem

Date: Friday, July 20, 2007 - 4:49 am

>>> On 19 July 2007 at 23:52, in message
<20070719225255.GC3317@bootes.spacehopper.org>, Stuart Henderson
<stu@spacehopper.org> wrote:
quoted text> On 2007/07/19 15:38, Gordon Ross wrote:
>> Cutting down the pf ruleset to the bare minimum, I have:
>
> Might be below the minimum; there's no explicit "pass out".
> There's an implicit one, but I suspect it might not be keeping
> state (though the default as of 4.1 is to keep state, I suspect
> this _may_ apply only to rules configured by pfctl and not implicit
> ones). And if that's the case it won't permit the return traffic.

Made a little bit of progress..

If I change

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state

to:

pass proto tcp from 172.16.2.34 to 192.168.249.3 keep state

Then that works fine. Now I can half see why this does work: I've not
specified a direction or interface for the rule. For a simple two-interface
firewall, that's should be OK. My thoughts turn to when I have a firewall with
more than two interfaces: What would happen to a spoofed packet appearing on a
"wrong" interface ? As the rule no longer specifies interfaces, I could see
that PF would allow the packet through... Would the solution be to create
rules that only allow "valid" addresses to come in to interfaces ? Or am I
being paranoid ?

GTG

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

PF Config problem, Gordon Ross, (Thu Jul 19, 10:38 am)

Re: PF Config problem, Stuart Henderson, (Thu Jul 19, 6:52 pm)

Re: PF Config problem, Gordon Ross, (Fri Jul 20, 4:49 am)

Re: PF Config problem, Gordon Ross, (Fri Jul 20, 3:45 am)

Re: PF Config problem, Stuart Henderson, (Fri Jul 20, 5:04 am)

Re: PF Config problem, Gordon Ross, (Fri Jul 20, 5:46 am)

Re: PF Config problem, Stuart Henderson, (Fri Jul 20, 6:33 am)

Re: PF Config problem, Dag Richards, (Thu Jul 19, 11:55 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Greg KH	[patch 00/04] RFC: Staging tree (drivers/staging)
James Bottomley	Re: Integration of SCST in the mainstream Linux kernel
Steven Rostedt	[RFC PATCH 1/3] Unified trace buffer
git:
Jon Smirl	! [rejected] master -> master (non-fast forward)
Marco Costalba	[ANNOUNCE] qgit4 aka qgit ported to Windows
Andi Kleen	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
Sverre Rabbelier	Git vs Monotone
openbsd-misc:
Richard Stallman	Real men don't attack straw men
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Damian Gerow	Oddly high load average
Benjamin Adams	BSD Port from OpenJDK
linux-netdev:
Michael Grollman	Re: 8169 Intermittent ifup Failure Issue With RTL8102E Chipset in Intel's New D945...
Volker Armin Hemmann	build error with 2.6.27.6+reiser4+ehci-hub patch. ERROR: "mii_ethtool_gset" [drive...
Evgeniy Polyakov	[resend take 2 0/4] Distributed storage.
Wenji Wu	A Linux TCP SACK Question

Latest forum posts


serial driver xmit problem	1 hour ago	Linux kernel
Why Windows is better than Linux	1 hour ago	Linux general
How can I see my kernel messages in vt12?	7 hours ago	Linux kernel
Grub	19 hours ago	Linux general
vmalloc_fault handling in x86_64	1 day ago	Linux kernel
epoll_wait()ing on epoll FD	1 day ago	Linux kernel
Framebuffer in x86_64 causes problems to multiseat	1 day ago	Linux kernel
Difference between 2.4 and 2.6 regarding thread creation	1 day ago	Linux general
Netfilter kernel module	1 day ago	Linux kernel
Compiling gfs2 on kernel 2.6.27	1 day ago	Linux kernel

Show all forums...

Recent Tags

more tags

Colocation donated by:

Online users

Syndicate