Ryan Corder wrote:
alternatively, I did this and it seemed to work
pass out on bge0 from inside to { any, !outside }
pass out on bge0 from inside to { any, !llcidr }
The above is an overkill equivalent to
pass out on bge0 from inside to any
which I doubt is what you want.
/Alexander
On Fri, 2007-03-16 at 11:09 +0100, Alexander Hall wrote:
Ryan Corder wrote:
alternatively, I did this and it seemed to work
pass out on bge0 from inside to { any, !outside }
pass out on bge0 from inside to { any, !llcidr }
The above is an overkill equivalent to
pass out on bge0
On Fri, 2007-03-16 at 19:29 +0100, Almir Karic wrote:
the {} thingy is strictly text expansion, which means your rules expand to:
pass out on bge0 from inside to any
pass out on bge0 from inside to !outside
pass out on bge0 from inside to any
pass out on bge0 from inside to !llcidr
if you
** Reply to message from Ryan Corder [EMAIL PROTECTED] on
Fri, 16 Mar 2007 14:01:38 -0500
very simply, this thread could have ended a day or two ago if the
following process would have taken place:
1) is my syntax wrong? YES
2) OK, what is wrong with it? Pointed out and understood.
On Fri, 2007-03-16 at 12:59 -0700, Marco S Hyman wrote:
now. given that I have a default block all rule, is it possible to allow
out ALL traffic EXCEPT those packets bound for the addresses listed in
the outside and llcidr tables without the need for more block rules?
No, you need
On Fri, 2007-03-16 at 16:30 -0400, Dave Anderson wrote:
1) is my syntax wrong? YES
2) OK, what is wrong with it? Pointed out and understood.
Evidently, *not* understood.
Evidently, you can read my mind and know what I do and do not
understand. That's fricken' amazing!
3) Good, now
why do you bother asking questions if you are not willing to accept answers?
you either need:
pass out on bge0 from inside
block out on bge0 from inside to { outside, llcidr }
or:
block quick out on bge0 from inside to { outside, llcidr }
pass out on bge0 from inside
alternatively you could
* Martin Gignac [EMAIL PROTECTED] [2007-03-15 02:37]:
I think this can be explained by the default state policy (which is
floating) in pf. Consult the man page and look for 'set state-policy'.
do everything else but that.
really.
this is never ever your problem, except you do weird things with
On 3/15/07, Henning Brauer [EMAIL PROTECTED] wrote:
do everything else but that.
really.
this is never ever your problem, except you do weird things with
tunnels or the like.
Gotcha.
-Martin
--
Suburbia is where the developer bulldozes out the trees, then names
the streets after them.
On Thu, 2007-03-15 at 01:39 +, Stuart Henderson wrote:
feed the rule into pfctl -nvf - and see how it's expanded.
basically what you would expect...
$ pfctl -nvf -
pass out on bge0 from inside to { !outside , !llcidr } tagged
INSIDE keep state flags S/SA
pass out on bge0 from inside to !
On Thu, 2007-03-15 at 15:32 +, Stuart Henderson wrote:
On 2007/03/15 10:25, Ryan Corder wrote:
On Thu, 2007-03-15 at 01:39 +, Stuart Henderson wrote:
feed the rule into pfctl -nvf - and see how it's expanded.
basically what you would expect...
pass out on bge0 from inside to !
On 2007/03/15 16:00, Ryan Corder wrote:
pass out to everyone-apart-from-outside
pass out to everyone-apart-from-llcidr
This blocks only the intersection of outside and llcidr
(probably nobody).
ok, so I want:
pass out to everyone-except-from-outside
pass out to
On Thu, 2007-03-15 at 22:42 +, Stuart Henderson wrote:
No, that would expand to three rules, one passing all traffic from
inside and the other two as above.
you either need:
pass out on bge0 from inside
block out on bge0 from inside to { outside, llcidr }
or:
block quick out
I have a fairly simple ruleset and it doesn't seem to be working right
for me...at least it doesn't make much since.
ext_if=bge0
int_if=bge1
table outside const { 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 }
table inside const { 10.0.4.0/24, 10.0.5.0/24 }
table others const {
I think this can be explained by the default state policy (which is
floating) in pf. Consult the man page and look for 'set state-policy'.
I think that by default, because you're letting the packets through in
your first 'pass' rule you create state. When you get to the outside
interface you
pass out on $ext_if from inside to { !outside, !others } tagged
INSIDE keep state flags S/SA
feed the rule into pfctl -nvf - and see how it's expanded.
16 matches
Mail list logo
