Re: pf faq

Sat, 26 May 2012 06:27:59 -0700 

On May 26 12:30:25, Stuart Henderson wrote:
> On 2012-05-26, Jan Stary <h...@stare.cz> wrote:
> > The "Passing Traffic" example at
> > http://www.openbsd.org/faq/pf/filter.html
> > doesn't seem to be completely accurate.
> >
> >     # Pass traffic in on dc0 from the local network, 192.168.0.0/24,
> >     # to the OpenBSD machine's IP address 192.168.0.1. Also, pass the
> >     # return traffic out on dc0.
> >     pass in  on dc0 from 192.168.0.0/24 to 192.168.0.1
> >     pass out on dc0 from 192.168.0.1 to 192.168.0.0/24
> >
> > It's the "return" that bugs me: the first rule alone
> > makes the _return_ traffic be passed. The second
> > rule allows traffic that originates (creates state)
> > on the way out. Right?
> >
> >
> Probably an incomplete conversion of the faq when the default was changed
> to stateful.

Exactyl.

> If someone wants to carefully go over faq/pf/ (or at least going
> over one whole page rather than just parts of a page), check/update things
> and send a diff, that would be very nice and there's a good chance it would
> get committed..

Actually, I came across this when re-reading the whole PF FAQ earlier today
(but I couldn't say carefully); diff below.

        Jan


--- filter.html.orig    2012-05-26 15:15:13.000000000 +0200
+++ filter.html 2012-05-26 15:17:28.000000000 +0200
@@ -289,12 +289,10 @@ recommended because it errs on the side 
 writing a ruleset easier.
 
 <p>
-To create a default deny filter policy, the first two filter rules should
-be:
+To create a default deny filter policy, the first filter rule should be:
 <blockquote>
 <tt>
-block in &nbsp;all<br>
-block out all
+block all
 </tt>
 </blockquote>
 
@@ -317,10 +315,9 @@ Some examples:
 <blockquote>
 <tt>
 # Pass traffic in on dc0 from the local network, 192.168.0.0/24,<br>
-# to the OpenBSD machine's IP address 192.168.0.1. Also, pass the<br>
-# return traffic out on dc0.<br>
-pass in &nbsp;on dc0 from 192.168.0.0/24 to 192.168.0.1<br>
-pass out on dc0 from 192.168.0.1 to 192.168.0.0/24<br>
+# to the OpenBSD machine's IP address 192.168.0.1. The return traffic<br>
+# gets passed too, thanks to statefull operation.<br>
+pass in on dc0 from 192.168.0.0/24 to 192.168.0.1<br>
 <br>
 <br>
 # Pass TCP traffic in on fxp0 to the web server running on the<br>

Reply via email to