Date: Wed, 26 Nov 2014 21:57:23 -0500 From: Jon Radel <jon@radel.com> To: Eric Popelka <arickp@cox.net>, freebsd-questions@freebsd.org Subject: Re: My ipfilter rules are overreaching... Message-ID: <54769313.7020304@radel.com> In-Reply-To: <5476781D.2060904@cox.net> References: <5476781D.2060904@cox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms020705060407030303050009
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
On 11/26/14, 8:02 PM, Eric Popelka wrote:
> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###
>
> # Allow in the whole subnet assigned to my cable modem
> # (hack, eventually want to just allow access to certain ports)
> pass in log first on xn0 from 72.205.44.0/23 to any
>
> # Keep out hax0rs
> block in log first quick on xn0 all
>
>
from man 5 ipf:
First match vs last match
To change the default behaviour from being the last=20
matched rule
decides the outcome to being the first matched rule, the word=20
"quick"
is inserted to the rule.
Sooo...if I read your rule snippet correctly, you're asking ipf to=20
consider allowing traffic in from 72.205.44.0/23, pending finding a=20
later rule that overrides that pass, so it continues along until it hits =
a block statement that not only applies but has a "quick" to boot. I=20
certainly wouldn't expect that pass rule to ever do anything.
What happens if you put a "quick" in the pass? Or move the block to the =
very top of the file without the "quick"?
--Jon Radel
jon@radel.com
--------------ms020705060407030303050009
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILBDCC
BRowggQCoAMCAQICEG0Z6qcZT2ozIuYiMnqqcd4wDQYJKoZIhvcNAQEFBQAwga4xCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAcBgNVBAoT
FVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2VydHJ1c3Qu
Y29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg
RW1haWwwHhcNMTEwNDI4MDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBkzELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE
ChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBDbGllbnQgQXV0aGVudGlj
YXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAJKEhFtLV5jUXi+LpOFAyKNTWF9mZfEyTvefMn1V0HhMVbdClOD5J3EHxcZppLkyxPFA
GpDMJ1Zifxe1cWmu5SAb5MtjXmDKokH2auGj/7jfH0htZUOMKi4rYzh337EXrMLaggLW1DJq
1GdvIBOPXDX65VSAr9hxCh03CgJQU2yVHakQFLSZlVkSMf8JotJM3FLb3uJAAVtIaN3FSrTg
7SQfOq9xXwfjrL8UO7AlcWg99A/WF1hGFYE8aIuLgw9teiFX5jSw2zJ+40rhpVJyZCaRTqWS
D//gsWD9Gm9oUZljjRqLpcxCm5t9ImPTqaD8zp6Q30QZ9FxbNboW86eb/8ECAwEAAaOCAUsw
ggFHMB8GA1UdIwQYMBaAFImCZ33EnSZwAEu0UEh83j2uBG59MB0GA1UdDgQWBBR6E04AdFvG
eGNkJ8Ev4qBbvHnFezAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADARBgNV
HSAECjAIMAYGBFUdIAAwWAYDVR0fBFEwTzBNoEugSYZHaHR0cDovL2NybC51c2VydHJ1c3Qu
Y29tL1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwdAYI
KwYBBQUHAQEEaDBmMD0GCCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVRO
QWRkVHJ1c3RDbGllbnRfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1
c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQCF1r54V1VtM39EUv5C1QaoAQOAivsNsv1Kv/av
QUn1G1rF0q0bc24+6SZ85kyYwTAo38v7QjyhJT4KddbQPTmGZtGhm7VNm2+vKGwdr+XqdFqo
2rHA8XV6L566k3nK/uKRHlZ0sviN0+BDchvtj/1gOSBH+4uvOmVIPJg9pSW/ve9g4EnlFsjr
P0OD8ODuDcHTzTNfm9C9YGqzO/761Mk6PB/tm/+bSTO+Qik5g+4zaS6CnUVNqGnagBsePdIa
XXxHmaWbCG0SmYbWXVcHG6cwvktJRLiQfsrReTjrtDP6oDpdJlieYVUYtCHVmdXgQ0BCML7q
peeU0rD+83X5f27nMIIF4jCCBMqgAwIBAgIQUaWQdTU6RvxxeOjTUN4DtDANBgkqhkiG9w0B
AQUFADCBkzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENP
TU9ETyBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xMjAz
MjcwMDAwMDBaFw0xNTAzMjcyMzU5NTlaMIH6MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMjIx
NTAxCzAJBgNVBAgTAlZBMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEaMBgGA1UECRMRNjkxNyBS
aWRnZXdheSBEci4xFTATBgNVBAoTDEpvbiBULiBSYWRlbDEyMDAGA1UECxMpSXNzdWVkIHRo
cm91Z2ggSm9uIFQuIFJhZGVsIEUtUEtJIE1hbmFnZXIxHzAdBgNVBAsTFkNvcnBvcmF0ZSBT
ZWN1cmUgRW1haWwxEjAQBgNVBAMTCUpvbiBSYWRlbDEcMBoGCSqGSIb3DQEJARYNam9uQHJh
ZGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuufqoh9QnyjZTH7UdO
wpx6XnRz/94zoK1C1SaAepIRMyInXiwOVwT7iXKtkeRGEQA2vwTyqu5JVcvWkGxlTWPACgDW
dDE3296Up2K9CFfrm+RKdlc6xfMklR7qQWyNw5ULkeOZZOIoSAlVAJPhjIvHcf0UPxjTqgtP
4JafBBvL8RFhMAm74I1kWltMcFPVm1sLFDR1CDZ48/zqmhK/0ppbiBGapi8vAO382laFgHaN
8ODBFBffom5zjL/I9SggGGAdtwi7Vp2cjzgtuNVyORPv5Jz9zLylVKlhNvyq3VjbWXuJNw0E
J03F/UkjQsqsCkQnSdHAxtPkGhoBw/UvqEsCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFHoT
TgB0W8Z4Y2QnwS/ioFu8ecV7MB0GA1UdDgQWBBR8oxwxzLSB4/equQ4EqdH5Fld3sTAOBgNV
HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUH
AwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9z
ZWN1cmUuY29tb2RvLm5ldC9DUFMwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL2NybC5jb21v
ZG9jYS5jb20vQ09NT0RPQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNy
bDCBiAYIKwYBBQUHAQEEfDB6MFIGCCsGAQUFBzAChkZodHRwOi8vY3J0LmNvbW9kb2NhLmNv
bS9DT01PRE9DbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wGAYDVR0RBBEwD4ENam9uQHJhZGVs
LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEAJB+JWM2MbG5rR7/RCEm8bQRziBfl/FztfoV6dDGU
Y0uTRegiwM2LA/GHGju7xtp49MrcmEciZs6Di2pvGzS5m/v5IBT0gMK6dyplBmBe4BXzwckE
1MH/iui+VstVHds+36SsQqPCtVmFWlX6QN56F6aGSCjI27f2mUYL3NBr6DPsslRIhF9PamKQ
Bp4Y25/hnd+paEGIF6AZM3Uv7TvsTdCaBOt3dLrwUIpyQex5yqO8GPKWwgEPKxKiro7uLNNY
yZU4dEEenQIi/4SD49XHd9Zqwf60jKVPeZjcrK7QSSQ8dlOYOGH60WBBFVwD1CCBCLSJnglY
Dwh5wcgQG9ZRvjGCBBkwggQVAgEBMIGoMIGTMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl
YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0Eg
TGltaXRlZDE5MDcGA1UEAxMwQ09NT0RPIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhBRpZB1NTpG/HF46NNQ3gO0MAkGBSsOAwIaBQCgggJFMBgGCSqGSIb3
DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MTEyNzAyNTcyM1owIwYJKoZI
hvcNAQkEMRYEFPyELmDgxqRTbkgRJ29nw1kOZncQMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZI
AWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgbkGCSsGAQQBgjcQBDGBqzCBqDCB
kzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH
U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxOTA3BgNVBAMTMENPTU9ETyBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQUaWQdTU6RvxxeOjT
UN4DtDCBuwYLKoZIhvcNAQkQAgsxgauggagwgZMxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD
QSBMaW1pdGVkMTkwNwYDVQQDEzBDT01PRE8gQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBT
ZWN1cmUgRW1haWwgQ0ECEFGlkHU1Okb8cXjo01DeA7QwDQYJKoZIhvcNAQEBBQAEggEAtL4x
pgWAYXvrZLnTxf8d+BLgXVcVSSjYdveWJ10Rfi7cbCopmdFmrqH6WbhtkG+RmYIZBB8ukg6b
K9YaWHm4Td4eepxFssdZ4CqlrGNkbhj5us6V1ji4Bmrrn3LWvrdwhtDSYwc8GYab5R3kfsbX
t4UIkP902ehjBfxTIHGbiLCZLZfuQ6NMJuu15GSf76H/z5eLb91tvBBUOr2VHrJ0atpHuVge
ulAqiaxaPrL/au4bspE8WDtfJ11uupBQQI1yFoZh56u8CSC7dMdv8Pez66P86exi9CMGj8Ji
WYfPoVZ3h6i29ePe+y/CQU0dC4BOjMsuX592+5fGE6lUdXNOzQAAAAAAAA==
--------------ms020705060407030303050009--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54769313.7020304>