Re: pf: set skip option

Mon, 11 Apr 2011 15:34:27 -0700 

Penned by Matt S on 20110411 16:59.09, we have:
| Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets 
| are still being blocked.  Here is an example from a tcpdump on the pflog0 
| interface:
| 
| Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2 > 
| 10.40.60.1: icmp: echo request (gre encap)
| 
| I guess I need to specifically allow GRE traffic?

Since you're not skipping on tun(4) that seems to be accurate.
 
| Thanks,
| Matt
| 
| On 04/11/11 23:34, Matt S wrote:
| > Hello Everyone:
| > 
| > I am using 4.8 RELEASE.  Given the following pf.conf, would anyone be able 
to 
| > tell me why gre0 is not being skipped?
| > 
| > set skip on lo
| > set skip on gre0
| > set skip on enc0
| 
| You need to combine them, or they override each other.
| 
| set skip on { lo0, gre0, enc0 }
| 
| /Alexander
| 
| > 
| > anchor "ftp-proxy/*"
| > 
| > block in all
| > pass out all
| > 
| > antispoof for tun0
| > table <bruteforce> persist
| > table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
| > 
| > match out on tun0 from 10.40.60.0/24 to any nat-to (tun0)
| > 
| > 
| > block log quick from <bruteforce>
| > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
| > pass in quick proto tcp from localhost to any port {http,https} rdr-to 
| >127.0.0.1 
| >
| > port 3128
| > pass inet proto icmp all icmp-type {echoreq, unreach}
| > pass in on tun0 inet proto tcp from any to any port ssh keep state 
| >(max-src-conn 
| >
| > 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to 
| 10.40.60.1
| > pass on em0 from {trustednets} to any
| > 
| > 
| > In order for in-bound packets from 10.40.65.1 not to be dropped, I have to 
ping 
| >
| > it 10.40.64.1 from 10.40.60.1 to set a state.  Any help that you can 
provide 
| > would be appreciated.
| > 
| > Thanks,
| > Matt

-- 
Todd Fries .. t...@fries.net

 _____________________________________________
|                                             \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                 \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com             \  1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112  \  sip:freedae...@ekiga.net
| "..in support of free software solutions."  \  sip:4052279...@ekiga.net
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply via email to