Shame on me ;-)
Now I saw:
"if neither are specified, the rule will match packets in both directions."
Originalnachricht
Von: Markus Rosjat
Gesendet: Freitag, 20. Oktober 2017 15:32
An: misc@openbsd.org
Betreff: Re: a pf question maybe asked a 1000 times
Hi,
as far as I und
Hi,
as far as I understud the whole thing
Am 20.10.2017 um 15:09 schrieb Michael Hekeler:
pass on hvn0 inet proto icmp all icmp-type echoreq
just to be curious: what is the effect of "on" in your rules "pass on ..."
As to pf.conf(5) there are only "in" or "out"
this should allow traffic i
On Fri, Oct 20, 2017 at 9:09 AM, Michael Hekeler
wrote:
>
> Glad to hear that you have solved the problem
>
>
> > as you may notice I added the ping and the dns to the ruleset since
> > this was blocked in the original set of rules.
>
> You can allow outgoind dns with one single rule:
>
> pass
Glad to hear that you have solved the problem
> as you may notice I added the ping and the dns to the ruleset since
> this was blocked in the original set of rules.
You can allow outgoind dns with one single rule:
pass out on $ext_if inet proto { tcp, udp } from $ext_if \
to any port dom
Hi Michael,
as far as pfctl -sr goes a block return expands to block return all
but since I got it working now here is the ruleset that does what it
suppose to do :)
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass on $ext_if inet proto {tcp udp} to p
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> block return# block stateless traffic
Hi Markus, here´s another hint:
no matter if you want to drop silently or send a return for the dropped
packet, you have to tell **on which packet the block action should react**
Hi again,
okay big time PEBKAC ... if you do the the -d you should at some point
do the -e ... haha
anyway always fun to brainstorm with you guys this list rocks !!!
Am 20.10.2017 um 14:11 schrieb Markus Rosjat:
Hi,
yeah well the rules are loaded, I could flush befor do pfctl -f to make
i
Hi,
yeah well the rules are loaded, I could flush befor do pfctl -f to make
it all clean.
I tried ssh m...@domain.tld from the machine with the ruleset. this works
with the given rules but it shouldnt in my opinion.
and yes there is no dns traffic allowed in the rules. Maybe its really
the
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> what I notice is I can initiate a ssh connection from this machine.
Just a question:
how do you initiate the ssh connection?
ssh host.example.com
Then you realise that there is also dns out (53/tcp,udp)
On 17/10/20 12:59, Markus Rosjat wrote:
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass in on $ext
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:
> ...
> what I notice is I can initiate a ssh connection from this machine.
> So there are three possible answers to this:
> - 1st with allowing ssh traffic in the first place ssh port will be
>considered passable from both sites o
Hi,
Am 20.10.2017 um 13:11 schrieb Bryan Harris:
I don't know the answer but I'm curious. What does "pfctl -sr" command
show? Can you do dns lookups?
PS - my rules have the "pass out all" rule at the bottom.
V/r,
Bryan
sure I can give the output:
$ doas pfctl -sr
doas (m...@my.own) passw
Je 2017-10-20 12:59, Markus Rosjat skribis:
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass in on $e
I don't know the answer but I'm curious. What does "pfctl -sr" command
show? Can you do dns lookups?
PS - my rules have the "pass out all" rule at the bottom.
V/r,
Bryan
On Fri, Oct 20, 2017 at 6:59 AM, Markus Rosjat wrote:
> Hi there,
>
> I was wondering, after reading mr hansteens excelent
Hi there,
I was wondering, after reading mr hansteens excelent book about pf and
the man pages, if I got it all wrong :)
so here is my example pf.conf
ext_if="hvn0"
set skip on lo
block return# block stateless traffic
block inet6
pass in on $ext_if inet proto tcp from any to ($ext_if)
15 matches
Mail list logo
