From owner-freebsd-pf@FreeBSD.ORG  Fri Mar 14 21:36:44 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A4A631065672
	for <freebsd-pf@freebsd.org>; Fri, 14 Mar 2008 21:36:44 +0000 (UTC)
	(envelope-from lolo@agneau.org)
Received: from bergerie.agneau.org (bergerie.agneau.org [88.173.248.15])
	by mx1.freebsd.org (Postfix) with ESMTP id 5FF708FC1E
	for <freebsd-pf@freebsd.org>; Fri, 14 Mar 2008 21:36:44 +0000 (UTC)
	(envelope-from lolo@agneau.org)
Received: by bergerie.agneau.org (Postfix, from userid 500)
	id 4333D1092DA; Fri, 14 Mar 2008 22:09:03 +0100 (CET)
Date: Fri, 14 Mar 2008 22:09:03 +0100
From: Laurent Frigault <lfrigault@agneau.org>
To: Remko Lodder <remko@elvandar.org>
Message-ID: <20080314210903.GA20532@obelix.bergerie.agneau.org>
References: <200803132330.m2DNU3iG042764@freefall.freebsd.org>
	<32006.194.74.82.3.1205485356.squirrel@galain.elvandar.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
In-Reply-To: <32006.194.74.82.3.1205485356.squirrel@galain.elvandar.org>
User-Agent: Mutt/1.4.2.3i
X-Powered-By: UUCP
Cc: freebsd-pf@freebsd.org
Subject: Re: kern/121668: connect randomly fails with EPERM with some pf
	rules
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2008 21:36:44 -0000

On Fri, Mar 14, 2008 at 10:02:36AM +0100, Remko Lodder wrote:
 
> Why are you filtering on your local IP stack anyway? filtering on lo0
> is not that common, or at least in my point of view not used often and
> presents problems all the way.

I don't. It was just a way to provide a simple case to reproduce the
problem.

I have seen rare case when filtering local traffic was needed to enforce
multi-jail isolations.

Usualy, I just have a stateless quick rule that allow everything on
lo0 at the beginning of the ruleset before the default block log  quick
all at the end


-- 
Laurent Frigault | <url:http://www.agneau.org/>