On Saturday 09 September 2006 19:06, Stuart Henderson wrote:
> So,
>
> - the only difference in pf.conf between working and not-working
> is that working uses addresses directly in the rules, and not-working
> uses tables;
>
> - your tables did load correctly and show the addresses with -Ts
Lists all tables
> Maybe it would help to post pfctl -sr -vv with the direct entry
> (i.e. working) and table (i.e. not-working). Perhaps pfctl -sT -v
> too.
Since pflog0 tells me which rule was used I only include that rule. The first
one is working and 2nd not.
pass out log on $WAN proto tcp from any to any port $Web keep state
@16 pass out log on bge0 proto tcp from any to any port = www keep state
[ Evaluations: 2 Packets: 23 Bytes: 5873 States:
0 ]
[ Inserted: uid 0 pid 27950 ]
pass out log on $WAN proto tcp from <managers> to any port $Web keep state
@7 block drop out log on bge0 all
[ Evaluations: 6 Packets: 1 Bytes: 64 States:
0 ]
[ Inserted: uid 0 pid 31006 ]
-pa-r- admins
-pa--- customers
-pa-r- extadmin
-pa-r- http-operators
--a-r- managers
-pa-r- operators
> well, by listing numeric addresses, it will work as soon as DNS
> unbreaks - by listing names, if just one entry fails to resolve,
> the whole file will not be loaded.
Ah, yes. That would not be good. Squid would be better in that regard.
--
Steve Szmidt
"To enjoy the right of political self-government, men must be
capable of personal self-government - the virtue of self-control.
A people without decency cannot be secure in its liberty.
From the Declaration Principles
