[pf4freebsd] Re: problem with 'user'
Max Laier
max at love2party.net
Wed Sep 15 21:00:25 PDT 2004
On Saturday 31 January 2004 18:06, jb wrote:
> thanks - patch applies cleanly against 2.02 (out of the port tree).
> All things related for 'user' seem to work, but there's like an anomaly
Great, thanks for your report - we will update the port soon.
> - 'pass all' for an user contaminates ICMP rules.
>
> rules like:
> pass in on lo0 all
> pass out on lo0 all
> block in log all
> block out log all
>
> lock the box (of course). Adding the following:
> pass out all user boludo keep state
>
> allows all users to ping outside. Also adding
> block out log proto icmp
>
> doesnt seem to change anything.
I wasn't able to reproduce this:
While doing $ping 192.168.4.1 as user 1001
>> pfctl -vvsr
@4 pass out all user = 1001 keep state
[ Evaluations: 14 Packets: 782 Bytes: 96317 States: 1 ]
@5 block drop out log proto icmp all
[ Evaluations: 14 Packets: 5 Bytes: 420 States: 0 ]
>> pftcpdump -s2000 -nvvvei pflog0
pftcpdump: WARNING: pflog0: no IPv4 address assigned
pftcpdump: listening on pflog0
19:26:38.244893 rule 5/0(match): block out on rl0: 192.168.4.88 >
192.168.4.1: icmp: echo request (ttl 64, id 32357, len 84)
Can you check if there is a leftover state entry that matches? If you
reload the ruleset the states are not necessarly flushed. Use $pfctl -Fs
before you load the new ruleset. Or check for matching states with
$pfctl -vss
Please let us know if that was the case and we can assume that the user
stuff is working correctly now. Anyone else seeing this?
--
Best regards, | max at love2party.net
Max Laier | ICQ #67774661
http://pf4freebsd.love2party.net/ | mlaier at EFnet
More information about the freebsd-pf
mailing list