On 2007/07/20 10:46, Gordon Ross wrote:
> Going off on a tangent here: Why is it that I've just picked this up and
> no-one else has ?
I think because you had no rules (pass or block) affecting outgoing
packets - it's quite common to start things off with just 'block'
(without specifying the direc
>>> On 20 July 2007 at 10:04, in message
<[EMAIL PROTECTED]>, Stuart Henderson
<[EMAIL PROTECTED]> wrote:
> On 2007/07/20 08:45, Gordon Ross wrote:
>> > Might be below the minimum; there's no explicit "pass out".
>>
>> No, the packets get out the "other side" of the OBSD box to the
destination,
>>
On 2007/07/20 08:45, Gordon Ross wrote:
> > Might be below the minimum; there's no explicit "pass out".
>
> No, the packets get out the "other side" of the OBSD box to the destination,
> it's the return packets that get blocked.
Yes, exactly. Your implicit 'pass out' will allow the outbound
packe
>>> On 19 July 2007 at 23:52, in message
<[EMAIL PROTECTED]>, Stuart Henderson
<[EMAIL PROTECTED]> wrote:
> On 2007/07/19 15:38, Gordon Ross wrote:
>> Cutting down the pf ruleset to the bare minimum, I have:
>
> Might be below the minimum; there's no explicit "pass out".
> There's an implicit one,
>>> On 19 July 2007 at 18:55, in message <[EMAIL PROTECTED]>,
Dag
Richards <[EMAIL PROTECTED]> wrote:
> Gordon Ross wrote:
>> So why is this different to what I put ?
>>
>> #These three lines allow the failover mechanisms to work
>> pass on { $int_if } proto carp keep state
>> pass on { $adsl_if }
>>> On 19 July 2007 at 23:52, in message
<[EMAIL PROTECTED]>, Stuart Henderson
<[EMAIL PROTECTED]> wrote:
> On 2007/07/19 15:38, Gordon Ross wrote:
>> Cutting down the pf ruleset to the bare minimum, I have:
>
> Might be below the minimum; there's no explicit "pass out".
No, the packets get out th
On 2007/07/19 15:38, Gordon Ross wrote:
> Cutting down the pf ruleset to the bare minimum, I have:
Might be below the minimum; there's no explicit "pass out".
There's an implicit one, but I suspect it might not be keeping
state (though the default as of 4.1 is to keep state, I suspect
this _may_ a
Gordon Ross wrote:
So why is this different to what I put ?
#These three lines allow the failover mechanisms to work
pass on { $int_if } proto carp keep state
pass on { $adsl_if } proto carp keep state
pass quick on { $pfsync_if} proto pfsync
The only difference I can see, is that your lines wo
So why is this different to what I put ?
#These three lines allow the failover mechanisms to work
pass on { $int_if } proto carp keep state
pass on { $adsl_if } proto carp keep state
pass quick on { $pfsync_if} proto pfsync
The only difference I can see, is that your lines would allow CARP on the
I think you will find that since carp is communicated with multicast
that your rules are not behaving as you think.
They are allowing the outbound transmissions, but since you are not
establishing tcp sessions the keep state does not do what you want.
Try explicitly allowing in protocol carp
10 matches
Mail list logo
