On 11/13/20 2:06 PM, Harald Dunkel wrote:
Hi folks,
if it is allowed to ask a question about packet filter here?
Found it, please ignore.
Harri
Hi folks,
if it is allowed to ask a question about packet filter here?
Please take a look at the attached pf.conf file. Problem is
that incoming traffic from a host in (internal:network) to an
external host port is passed in rule 86 (thats one of the
debproxy lines)
pass $log0 quick
Hi Martin,
the host I had used for testing is off, so I had to switch. After
disabling the packet filter I see:
# tcpdump -i re0 -env icmp6
tcpdump: listening on re0, link-type EN10MB
20:58:08.865529 20:cf:30:e8:0d:58 52:54:00:2e:f3:25 86dd 118:
fe80::22cf:30ff:fee8:d58 >
On 11/06/17(Sun) 16:23, Harald Dunkel wrote:
> PS #1: Outgoing traffic to a link-local address initiated by the
> gateway is not corrupted.
>
> PS #2: It seems that OpenBSD 6.0 doesn't show this problem.
Could you use tcpdump on 6.0, do you spot any difference?
On 11/06/17(Sun) 15:51, Harald Dunkel wrote:
> Hi folks,
>
> pf.conf on my gateway (6.1) says
>
> bash-4.4# pfctl -sr | egrep -i icmp\|block
> block return log all
> :
> :
> pass quick inet proto icmp all keep state (if-bound)
> pass quick inet6 proto ipv6-icmp all keep state (if-bound)
>
>
Hi folks,
pf.conf on my gateway (6.1) says
bash-4.4# pfctl -sr | egrep -i icmp\|block
block return log all
:
:
pass quick inet proto icmp all keep state (if-bound)
pass quick inet6 proto ipv6-icmp all keep state (if-bound)
Problem is, a ping6 to the gateway's link local address is not
answered.
PS #1: Outgoing traffic to a link-local address initiated by the
gateway is not corrupted.
PS #2: It seems that OpenBSD 6.0 doesn't show this problem.
Regards
Harri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 10/08/14 21:44, Henning Brauer wrote:
* Harald Dunkel ha...@afaics.de [2014-10-07 13:46]:
A related question: I wonder how well (self) and (group) perform,
compared to tables listing IP addresses? Is (self) evaluated every time for
each
* Harald Dunkel ha...@afaics.de [2014-10-07 13:46]:
A related question: I wonder how well (self) and (group)
perform, compared to tables listing IP addresses? Is (self)
evaluated every time for each rule using it, once per connection,
in certain intervals, or only if one of the network
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
On 10/07/14 05:12, Giancarlo Razzolini wrote:
On 04-10-2014 11:06, Peter N. M. Hansteen wrote:
The parentheses denote potentially dynamic addresses, and IIRC the main
difference is that with parentheses the list will be expanded IIRC
On 04-10-2014 11:06, Peter N. M. Hansteen wrote:
The parentheses denote potentially dynamic addresses, and IIRC the
main difference is that with parentheses the list will be expanded
IIRC at rule evaluation time, while without the parentheses, the list
of addresses is expanded at ruleset load
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
Pf question about parentheses around self: Does (self)
work similar to (egress)? pf.conf(5) describes parentheses
around interface names and interface groups, but self is
not mentioned:
address= ( interface-name | interface-group
Harald Dunkel ha...@afaics.de writes:
Pf question about parentheses around self: Does (self)
work similar to (egress)? pf.conf(5) describes parentheses
around interface names and interface groups, but self is
not mentioned:
The parentheses denote potentially dynamic addresses, and IIRC the
13 matches
Mail list logo
