On Monday 12 November 2007, Daniel Hartmeier wrote:
> On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> > Daniel, do you spot anything strange with these skip steps (or
> > otherwise)?
>
> The problem is the lack of IP reassembly in this configuration.
>
> In pf_test_fragment(), a rule w
On Fri, Nov 09, 2007 at 12:59:46AM +0100, Max Laier wrote:
> Daniel, do you spot anything strange with these skip steps (or otherwise)?
The problem is the lack of IP reassembly in this configuration.
In pf_test_fragment(), a rule with r->flagset ("flags S/SA") is skipped.
Generally, stateful fi
On Friday 09 November 2007, Dag-Erling Smørgrav wrote:
> Max Laier <[EMAIL PROTECTED]> writes:
> > No, I don't see why these two should behave differently, but you
> > should add a "scrub in on sk0" in any case.
>
> scrub is known and documented to interfere with NFS.
Only with broken NFS clients
Max Laier <[EMAIL PROTECTED]> writes:
> No, I don't see why these two should behave differently, but you should
> add a "scrub in on sk0" in any case.
scrub is known and documented to interfere with NFS.
DES
--
Dag-Erling Smørgrav - [EMAIL PROTECTED]
_
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Max Laier <[EMAIL PROTECTED]> writes:
> > On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> > > With "pass on $eth from $lan to $lan", NFS doesn't work. With "pass on
> > > $eth inet proto { tcp, udp } from $lan to $lan", it does.
Max Laier <[EMAIL PROTECTED]> writes:
> On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> > With "pass on $eth from $lan to $lan", NFS doesn't work. With "pass on
> > $eth inet proto { tcp, udp } from $lan to $lan", it does.
> thinking about it, this could be a strange interaction with sk
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Max Laier <[EMAIL PROTECTED]> writes:
> > On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> >> but what you actually get is this:
> >>
> >> pass on $eth from $lan to $lan flags S/SA keep state
> >>
> >> which only matches TCP han
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Max Laier <[EMAIL PROTECTED]> writes:
> > On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> >> but what you actually get is this:
> >>
> >> pass on $eth from $lan to $lan flags S/SA keep state
> >>
> >> which only matches TCP han
Max Laier <[EMAIL PROTECTED]> writes:
> On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
>> but what you actually get is this:
>>
>> pass on $eth from $lan to $lan flags S/SA keep state
>>
>> which only matches TCP handshakes, so your UDP streams are screwed.
> I don't think this is true.
On Thu, Nov 08, 2007 at 08:08:52PM +0100, Dag-Erling Sm??rgrav wrote:
> Given appropriate definitions for $eth and $lan, you'd expect the
> following rule to simply pass all traffic originating from and destined
> for the LAN:
>
> pass on $eth from $lan to $lan
>
> However, in pf, "keep state"
On Thursday 08 November 2007, Dag-Erling Smørgrav wrote:
> Given appropriate definitions for $eth and $lan, you'd expect the
> following rule to simply pass all traffic originating from and destined
> for the LAN:
>
> pass on $eth from $lan to $lan
>
> However, in pf, "keep state" is *implicit* (
Given appropriate definitions for $eth and $lan, you'd expect the
following rule to simply pass all traffic originating from and destined
for the LAN:
pass on $eth from $lan to $lan
However, in pf, "keep state" is *implicit* (why?), so you'd expect it to
turn into something like this:
pass o
12 matches
Mail list logo
