* Olivier Mehani <sht...@ssji.net> [2009-08-14 14:45]:
> On Thu, Aug 13, 2009 at 05:31:39PM +0200, Henning Brauer wrote:
> > > I'm suspecting that syntax b�(interface)b� in pf.conf only
> > > resolves to the IPv4 addresses of the interface.
> > wrong.
>
> Right, thanks for this terse answer Henning (:
>
> I investigated further, and found the cause of my problems to lie in the
> fact that I was mentionning the address family in the rules.
>
> Here are relevant excerpts of my pf.conf
>
> ext_if="sis0"
> ...
> block all
> ...
> pass in on $ext_if proto tcp from any to ($ext_if) \
> port ssh flags S/SA keep state
did you have an "inet" in there? otherwise it is the same rule as the
one you present as solution below.
> pass in on $ext_if inet6 proto tcp from any to ($ext_if) \
> port ssh flags S/SA keep state
>
> The (almost) duplication is due to my previously using a tunnel provided
> by SixXS, thus having an additional interface only for IPv6. My ISP now
> provides native IPv6, so I just s/sixxs_if/ext_if/g my configuration
> file (yes, that's my way of bluntly copying).
>
> To solve my problem, I replaced the duplicated rules by a single similar
> one which does not specify any address family:
>
> pass in on $ext_if proto tcp from any to ($ext_if) \
> port ssh flags S/SA keep state
>
> This now works like a charm.
>
> What I don't understand, though, is why it wasn't working with the
> original set of rules, as they look very similar to me, and I would have
> expected them to achieve the same behavior, if not as efficiently.
>
> What am I missing?
from the excerpts you show it is impossible to tell, that should (and
I am sure: would) have just worked.
the rule is like this:
a pf rule applies to both inet and inet6, unless:
-it is explictely limited to one af by using the inet/inet6 passwords
-from and/or to are explicitely of one address family, i. e. an ip.
pass # covers both
pass inet # inet only
pass inet6 # ipvcrap only
pass from (someinterface) # both
pass from (someinterface) to 127.0.0.1 # inet only
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
[demime 1.01d removed an attachment of type application/pgp-signature]
