(Resending, I fessed up the inline reply)
Arigato gojaimas Trondd san for your very helpful reply.
I had understood from the documentation that tags were sticky. I also
understood that a packet can only have zero or one tag at any time.
Also, that a tag cannot be removed, but only replaced.
Howe
Arigato gojaimas Trondd san for your very helpful reply.
Sent: Thursday, January 11, 2018 at 3:17 AM
From: trondd
To: "Aham Brahmasmi"
Cc: misc@openbsd.org
Subject: Re: Probable mistake in PF tagging example ruleset order
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
>
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
> Hi,
>
> I am trying to learn and understand the pf tagging mechanism. I was
> wondering whether my understanding of the order in the example at
> https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
>
Hi,
I am trying to learn and understand the pf tagging mechanism. I was
wondering whether my understanding of the order in the example at
https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
there might be a mistake in the order. The relevant lines are
...
pass out on egress
Hi misc,
My PF box hae 3 network cards. (Squid is also ruuning on this PF box)
Wan1 , Wan2 and LAN
I want LAN users to reach Specific Destination IPs via Wan1, when they
browse squid proxy. Everything else via Wan2. ( /etc/mygate has been set
to Wan2 router ip )
Lan users' Internet browsers ha
* andy [2014-09-02 21:12]:
> Hoping this is a pretty dumb question and someone can just shoot me down
> with an instant answer but is there any reason why I can't compare against
> multiple tags?
because list expansion for that case is not implemented in the parser.
not hard to do at all...
--
Oooo, thats an exciting possibility :)
>
> Any opportunities for reducing PF rule sets is always great.
>
>
Yes, Indeed. +1
--
cat /etc/motd
Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala
Fonts
On Wed, 3 Sep 2014 21:41:48 + (UTC), Stuart Henderson
wrote:
> On 2014-09-03, andy wrote:
>> I'm just trying to ask why this doesn't work;
>>
>> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>>
>> It gets a PF syntax error? Why?
>
> It's just not implemented in the parser in p
On 2014-09-03, andy wrote:
> I'm just trying to ask why this doesn't work;
>
> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>
> It gets a PF syntax error? Why?
It's just not implemented in the parser in pfctl, it shouldn't be
terribly hard to add..
On Wed, 03 Sep 2014 09:33:24 -0300, Giancarlo Razzolini
wrote:
> On 03-09-2014 09:08, andy wrote:
>> The DMZ was just an example.. We can call it anything ;)
>>
>> I'm just trying to ask why this doesn't work;
>>
>> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>>
>> It gets a PF sy
On 03-09-2014 09:08, andy wrote:
> The DMZ was just an example.. We can call it anything ;)
>
> I'm just trying to ask why this doesn't work;
>
> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>
> It gets a PF syntax error? Why?
>
>
> Thanks for your time, Andy.
I replied before witho
On Tue, 02 Sep 2014 18:33:02 -0300, Giancarlo Razzolini
wrote:
> On 02-09-2014 17:12, andy wrote:
>> So why does;
>> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>>
>> NOT expand out to;
>> pass out quick on $if_ext tagged T_LAN keep state
>> pass out quick on $if_ext tagged T_DMZ
On 02-09-2014 17:12, andy wrote:
> So why does;
> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>
> NOT expand out to;
> pass out quick on $if_ext tagged T_LAN keep state
> pass out quick on $if_ext tagged T_DMZ keep state
I didn't tested. But if I recall correctly, that rule will ex
On Tue, 02 Sep 2014 16:37:38 -0300, Giancarlo Razzolini
wrote:
> On 02-09-2014 16:32, andy wrote:
>> Yes I wouldn't expect to be able to apply more than one tag, I'm asking
>> about checking for multiple matching tags?
>>
>> I.e pass out of the packet is 'tagged' with XXX or YYY or ZZZ.
> But that
On 02-09-2014 16:32, andy wrote:
> Yes I wouldn't expect to be able to apply more than one tag, I'm asking
> about checking for multiple matching tags?
>
> I.e pass out of the packet is 'tagged' with XXX or YYY or ZZZ.
But that's the point. If you assign a packet with multiple tags, only
the last o
On Tue, 02 Sep 2014 16:28:27 -0300, Giancarlo Razzolini
wrote:
> On 02-09-2014 16:10, andy wrote:
>> Hi,
>>
>> Hoping this is a pretty dumb question and someone can just shoot me
down
>> with an instant answer but is there any reason why I can't compare
>> against
>> multiple tags?
>>
>> E.g.
>> p
2014-09-02 23:10 GMT+04:00 andy :
> Hi,
>
> Hoping this is a pretty dumb question and someone can just shoot me down
> with an instant answer but is there any reason why I can't compare against
> multiple tags?
>
> E.g.
> pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
> qu
On 02-09-2014 16:10, andy wrote:
> Hi,
>
> Hoping this is a pretty dumb question and someone can just shoot me down
> with an instant answer but is there any reason why I can't compare against
> multiple tags?
>
> E.g.
> pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
> que
Hi,
Hoping this is a pretty dumb question and someone can just shoot me down
with an instant answer but is there any reason why I can't compare against
multiple tags?
E.g.
pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
queue (_wan_dflt,_wan_pri) set prio (1,4) keep state
* Claudio Jeker [2009-11-13 18:19]:
> > nat-to and rdr-to on pass rules are only applied if it is the last
> > matching rule. for match rules they're always applied.
> Maybe something like this. The result are that you need to have a
> "pass tagged FTPTAG" rule after the anchor (or one rule per di
Claudio Jeker wrote:
On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote:
* Bryan S. Leaman [2009-11-13 17:37]:
Henning Brauer wrote:
* Bryan S. Leaman [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and
On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote:
> * Bryan S. Leaman [2009-11-13 17:37]:
> > Henning Brauer wrote:
> > >* Bryan S. Leaman [2009-11-13 01:12]:
> > >>I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
> > >>-current and I came across an issue that
* Bryan S. Leaman [2009-11-13 17:37]:
> Henning Brauer wrote:
> >* Bryan S. Leaman [2009-11-13 01:12]:
> >>I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
> >>-current and I came across an issue that seems like a problem in the way
> >>"tagged" rules are handled. It's bre
Henning Brauer wrote:
* Bryan S. Leaman [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
"tagged" rules are handled. It's breaking ftp-proxy with tagging when I
try to apply a
* Bryan S. Leaman [2009-11-13 01:12]:
> I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
> -current and I came across an issue that seems like a problem in the way
> "tagged" rules are handled. It's breaking ftp-proxy with tagging when I
> try to apply additional rules to t
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
"tagged" rules are handled. It's breaking ftp-proxy with tagging when I
try to apply additional rules to the tagged packets. The result is that I
can lo
un_if
(Packets entering on $wan_if on port 1194/TCP get tagged
'NORM' and can leave on $tun_if to port { 80, 443 }/TCP
_if_ they were tagged 'NORM' before)
Now PF knows about the relationship between $wan_if
and $tun_if.
-Mark
On Fri, Nov 11, 2005 at 03:37:57PM +01
In message "pf tagging and matching over more than one interface ..."
on 11.11.2005, David fire <[EMAIL PROTECTED]> writes:
Df> you only tag the package to port 1194 in both case and you are allowing only
Df> tagged packaged to ports 22, 80, 443
Port 1194 on wan_if is ha
hi
you only tag the package to port 1194 in both case and you are allowing only
tagged packaged to ports 22, 80, 443
David
2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
>
> I try to tag a connection on the wan_if and
> accordingly on the tag I'll restrict the
> access on an other interface li
I try to tag a connection on the wan_if and
accordingly on the tag I'll restrict the
access on an other interface like.
an example ...
pass in quick on wan_if proto tcp from to port 1194 tag NORM
keep state
pass in quick on wan_if proto tcp from to port 1194 tag POWER
keep state
pass in
30 matches
Mail list logo
