My ipfilter rules are overreaching...
Jon Radel
jon at radel.com
Thu Nov 27 02:58:34 UTC 2014
On 11/26/14, 8:02 PM, Eric Popelka wrote:
> ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ###
>
> # Allow in the whole subnet assigned to my cable modem
> # (hack, eventually want to just allow access to certain ports)
> pass in log first on xn0 from 72.205.44.0/23 to any
>
> # Keep out hax0rs
> block in log first quick on xn0 all
>
>
from man 5 ipf:
First match vs last match
To change the default behaviour from being the last
matched rule
decides the outcome to being the first matched rule, the word
"quick"
is inserted to the rule.
Sooo...if I read your rule snippet correctly, you're asking ipf to
consider allowing traffic in from 72.205.44.0/23, pending finding a
later rule that overrides that pass, so it continues along until it hits
a block statement that not only applies but has a "quick" to boot. I
certainly wouldn't expect that pass rule to ever do anything.
What happens if you put a "quick" in the pass? Or move the block to the
very top of the file without the "quick"?
--Jon Radel
jon at radel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3931 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20141126/1265e40d/attachment.bin>
More information about the freebsd-questions
mailing list