Date: Wed, 26 Nov 2014 22:19:48 -0500 From: Eric Popelka <arickp@cox.net> To: freebsd-questions@freebsd.org Subject: Re: My ipfilter rules are overreaching... Message-ID: <54769854.5030403@cox.net> In-Reply-To: <LSyP1p0013hHw0601SyQgC> References: <5476781D.2060904@cox.net> <LSyP1p0013hHw0601SyQgC>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Ahhh! Silly me a) didn't realize that he was reading the man page for ipf(8), not ipf(5) b) thought 'quick' meant "Quickly log this." Removing 'quick' from the last 'block in' clause, then adding 'quick' to my ISP subnet "pass in" gives me the behavior I want. I didn't move the lines around. Thanks! - -Eric On 11/26/14 9:57 PM, Jon Radel wrote: > On 11/26/14, 8:02 PM, Eric Popelka wrote: >> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ### >> >> # Allow in the whole subnet assigned to my cable modem # (hack, >> eventually want to just allow access to certain ports) pass in >> log first on xn0 from 72.205.44.0/23 to any >> >> # Keep out hax0rs block in log first quick on xn0 all >> >> > from man 5 ipf: > > First match vs last match To change the default behaviour from > being the last matched rule decides the outcome to being the > first matched rule, the word "quick" is inserted to the rule. > > > > Sooo...if I read your rule snippet correctly, you're asking ipf to > consider allowing traffic in from 72.205.44.0/23, pending finding > a later rule that overrides that pass, so it continues along until > it hits a block statement that not only applies but has a "quick" > to boot. I certainly wouldn't expect that pass rule to ever do > anything. > > What happens if you put a "quick" in the pass? Or move the block > to the very top of the file without the "quick"? > > --Jon Radel jon@radel.com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUdphUAAoJEBQPax3MeNrTH8AQAMfXuvIMWMrEqsZ0aDAF1m2g QSXs/wND7arvRs9E7XMQWrbplgA43humiEBX3VPRGY8oNPByQTVdpQM5rM3i5rNB kZj//kNgZ6+7z74AYzPWvHWXikDeWB3SCho9gv19qTo5xA3rU2EmGICmA8pE3cKP KgzsEd5GKgOR4p5Pt0iECzS0FUuZbn1jtY6WqhoW/K8r+sgV2m0PmmWz+8L7gVtU 5CjQ/vTpmFDSBhDHhv+5v5rXBQoT6nLGkk+RPRhejyp+3mYtHem5WrxVtySZCpic xX3OJP5x0qLAzbwemnYzXCU70HwZyJZ9RpW+IC0tyLoc8xDBF2gVvLVqFCdiXAgg klWuWyp08HM9ZhDsYQpZSNt9h9K6+bedYOKoI8t2ZQLChWui0HLgMcl1CTw1Nb99 R5u8rofWiFYYOhYm7PklXHd2OY7Rr3+4JwelfWZoemxlQnb12Z6LjbxRbwqXMBq6 dP0XlE+s+ZLFzLKKzTg1+7SW6IXTOKiConAD4UQ9NQgyU/UL+jDNCaWSGvkRy6QG ML6RoA1Y8Gq8N0cFuZUrsRhgWeFS7Xn+PwwgDkXqGCDODolYvOPZEFoOhkfQEpqU B+TwxW2t82jzbgG2onI1NBYmOCq/j+k2IA8aGJuPb3Q585zxQ+litb1qSwf6vCvv R3QFm9PenbAiRwu9HFNM =xXqZ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54769854.5030403>