Using / notation in tables?
Forrest Aldrich
forrie at forrie.com
Tue Nov 29 09:24:18 GMT 2005
I think this might be the problem.
$ext_if:network expands to 24.62.224.0/20, which is of course not my
network. I've been following examples on the net about configuring this.
Perhaps I should put a variable in there as gw=24.62.224.xx/32.
It's not clear to me where that should be used (ext_if:network).
Thank you.
Daniel Hartmeier wrote:
> On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote:
>
>
>> Here is what I'm using for the tables:
>>
>> block in quick on $ext_if proto { tcp, udp } from { <table1>, <table2> } \
>> to $ext_if:network port 25
>>
>> I wonder if this should be written differently.
>>
>
> I don't see anything obviously wrong. If a packet is passing despite
> this rule, there are two possibilities:
>
> a) evaluation doesn't reach this rule at all, because the packet
> matches an earlier quick rule
>
> b) evaluation does reach this rule, but the rule isn't matching,
> because
>
> 1) the interface is not $ext_if
> 2) the protocol is not tcp or udp (maybe some encapsulation or
> tunnel protocol?)
> 2) the source address is not in either table (use pfctl -vTt to
> test)
> 3) the destination address is not in $ext_if:network (use
> pfctl -sr to see what it expands to, might be surprising if
> $ext_if has multiple network aliases)
>
> c) pf is not enabled at all (pfctl -si | head -n 1)
>
> d) the packet is reaching the server through another path, not going
> through the pf box at all
>
> If you can't spot it, provide the entire ruleset and a tcpdump showing
> the packet passing on $ext_if.
>
> Daniel
>
More information about the freebsd-pf
mailing list