Date: Fri, 10 Mar 2006 18:12:38 -0500 From: "Jacob, Raymond A Jr" <raymond.jacob@navy.mil> To: <freebsd-pf@freebsd.org> Subject: Two(2) questions regarding quick and adding rules later. Message-ID: <653C8E7D21FB654997909E77C691053F446ADB@NAEAWNYDEX21VA.nadsusea.nads.navy.mil>
next in thread | raw e-mail | index | archive | help
O/S FreeBsd 6.0
All traffic blocked unless I use quick.
tcpdump -n -e -ttt -r /var/log/pflog=20
showed traffic was blocked by the last rule unless I added quick to pass =
rules.
I thought the matching rules would have overiden the block rule?
One more question: bundle0 is composed of two(2) interfaces bonded =
together.
Is there away to bring up the firewall when all the physical interfaces =
are up
and then once for the bundle0 interface is up add :
public_if =3D "bundle0"
pass in quick on $public_if all
to the rules in memory?
I have the following working(obfiscated) pf.conf in my =
/usr/home/bigdaddy directory
=3D=3D=3D=3D=3Dpf.conf=3D=3D=3D=3D
dns_servers =3D "{ X , Y , Z }"
mngmt_if=3D "myi0"
mngmt_net=3D "xx.yy.zz.0/24"
public_if =3D "bundle0"
ids =3D "A"
port3 =3D "4444"
allowed_ports =3D "{" "port1, port2," $port3 "}"
set loginterface $mngmt_if
pass in quick on $public_if all
pass in log-all quick on $mngmt_if proto tcp from $mngmt_net to $ids =
port $allowed_ports keep state=20
pass out log-all quick on $mngmt_if proto {tcp,udp} from $ids to =
$dns_servers port 53 keep state
pass in log-all quick on $mngmt_if proto icmp from $mngmt_net to $ids =
icmp-type 8 code 0 keep state
pass out log-all quick on $mngmt_if proto icmp from $ids to any =
icmp-type 8 code 0 keep state
pass out log-all quick on $mngmt_if proto { tcp, udp } all keep state
block in log-all on $mngmt_if all
block out log-all on $mngmt_if all
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
kldload shows pf.ko loaded
When I boot, my rc.conf file has
pf_enable=3D"YES"
pf_flags=3D"-d"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?653C8E7D21FB654997909E77C691053F446ADB>