On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote:
> Jeremy Chadwick wrote:
>
>> I believe it's because pf(4) doesn't make assumptions about what you
>> want to filter. NAT is stateful (it has to be, because packets are
>> being re-written, and the WAN-side port numbers are going to b
Jeremy Chadwick wrote:
I believe it's because pf(4) doesn't make assumptions about what you
want to filter. NAT is stateful (it has to be, because packets are
being re-written, and the WAN-side port numbers are going to be
different than the LAN-side), but filtering rules still apply **after**
On Tue, May 20, 2008 at 06:27:47PM -0700, Jason C. Wells wrote:
> I have these rules (and others) in pf.conf:
>
> nat pass on $ext_if from $int_net to any -> ($ext_if)
>
> block in all
> block out all
>
> I cannot connect to websites unless I also add:
>
> pass proto { tcp, udp } from any to any po
Tue, May 20, 2008 at 11:24:46PM +0200, Henrik Brix Andersen wrote:
> On Tue, May 20, 2008 at 04:48:43PM -0400, Tom Uffner wrote:
> > was this an accidental omission, as it appears to be since the rest
> > of the pf files including /etc/pf.os are included, or was it done by
> > design?
>
> By desig
I have these rules (and others) in pf.conf:
nat pass on $ext_if from $int_net to any -> ($ext_if)
block in all
block out all
I cannot connect to websites unless I also add:
pass proto { tcp, udp } from any to any port http keep state
My understanding is that nat rules are inherently stateful.
On 5/20/08, Cristian Bradiceanu <[EMAIL PROTECTED]> wrote:
> On Tue, May 20, 2008 at 7:20 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> > On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote:
> >> I am trying to set up split routing on two Internet links, each with
> >> one IP
On Tue, May 20, 2008 at 04:48:43PM -0400, Tom Uffner wrote:
> the sample config file /etc/pf.conf is not included in the 7.0-STABLE
> minimal installation.
>
> was this an accidental omission, as it appears to be since the rest
> of the pf files including /etc/pf.os are included, or was it done by
Tom Uffner wrote:
the sample config file /etc/pf.conf is not included in the 7.0-STABLE
minimal installation.
was this an accidental omission, as it appears to be since the rest
of the pf files including /etc/pf.os are included, or was it done by
design?
I think it was moved in /usr/share/exampl
Hi,
I suspect pf is caching invalid outdated dynamic addresses. After this
happens, all requests
sent from internal hosts are sent with the previous dynamic address as
source address and
are ignored by our provider. Requests sent directly from our pf-box use
the new dynamic
address as expecte
On Tue, May 20, 2008 at 7:20 PM, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote:
>> I am trying to set up split routing on two Internet links, each with
>> one IP address:
>>
>> em0 = wan1, $em0_gw gateway
>> em1 = lan, NATed on em0
the sample config file /etc/pf.conf is not included in the 7.0-STABLE
minimal installation.
was this an accidental omission, as it appears to be since the rest
of the pf files including /etc/pf.os are included, or was it done by
design?
tom
___
freebsd
On Tue, May 20, 2008 at 06:30:58PM +0300, Cristian Bradiceanu wrote:
> I am trying to set up split routing on two Internet links, each with
> one IP address:
>
> em0 = wan1, $em0_gw gateway
> em1 = lan, NATed on em0 and em2
> em2 = wan2, default gateway
>
> pass in on em0 reply-to (em0 $em0_gw) i
Hello,
I am trying to set up split routing on two Internet links, each with
one IP address:
em0 = wan1, $em0_gw gateway
em1 = lan, NATed on em0 and em2
em2 = wan2, default gateway
pass in on em0 reply-to (em0 $em0_gw) inet proto tcp from any to em0
flags S/SA keep state
pass in on em0 reply-to (
13 matches
Mail list logo
