Fwd: Re: pf stopped working i think... WORKS. specifying loopback device "lo" no longer works in pf.conf though

Tue, 07 Jun 2005 18:40:29 -0700 


--- b h <[EMAIL PROTECTED]> wrote:

> Date: Tue, 7 Jun 2005 11:30:51 -0700 (PDT)
> From: b h <[EMAIL PROTECTED]>
> Subject: Re: pf stopped working i think...
> To: j knight <[EMAIL PROTECTED]>,
> pf@benzedrine.cx
> 
> --- j knight <[EMAIL PROTECTED]> wrote:
> 
> > Jon Simola wrote:
> > > On 6/5/05, b h <[EMAIL PROTECTED]> wrote:
> > > 
> > > 
> > >>Or, could someone please point out something I
> > might
> > >>have missed/case of the stupids?
> > > 
> > > 
> > >>block log all
> > >>pass quick on lo all
> > >>antispoof quick for lo
> > 
> > The documentation explicitly says not to use
> > antispoof on loopback 
> > interfaces. And Jon's right. You have a "quick"
> rule
> > and then your 
> > antispoof rule; makes no sense.
> > 
> > > The loopback interface is "lo0", not "lo". And
> you
> > should probably
> > > have the antispoof before the pass quick for
> lo0.
> > 
> > "lo" is valid as it will apply to all
> loopback-type
> > interfaces. You can 
> > do the same with other drivers as well ("em",
> > "vlan", etc).
> > 
> 

pass quick on lo all

used to work before the hackathon.

pass quick on lo0 all

is what is needed now in my example.  I thank all
those that offered this suggestion - I thought for
sure I had changed all them to lo0 just for clarity,
because others also told me, lo should work. 

Seeing Henning doing stuff with interface groups, I'm
not sure if this is a temporary change/oversight or
not, so I will hold off on sending a diff....

thanks to all for their help - Gerardo, Jason, Joel,
Jon, and any I might have missed.

bob

complete pf.conf:

ext_if = "fxp0"

set block-policy return
set loginterface $ext_if
scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if proto tcp from any to port https
-> 127.0.0.1 port 5222
rdr pass on $ext_if proto tcp from any to port ftp ->
127.0.0.1 port 5223

block log all
block drop in quick log on $ext_if proto { tcp, udp }
from any os Linux to any port ssh
pass quick on lo0 all
pass in on $ext_if inet proto tcp from any to
($ext_if) port ssh flags S/SA keep state
pass in on $ext_if inet proto tcp from any to (lo0)
port { 5222, 5223 } flags S/SA keep state
pass out on $ext_if proto tcp all flags S/SA keep
state
pass out on $ext_if proto { udp, icmp } all keep state




                
__________________________________ 
Discover Yahoo! 
Have fun online with music videos, cool games, IM and more. Check it out! 
http://discover.yahoo.com/online.html

Reply via email to