* Giancarlo Razzolini <[EMAIL PROTECTED]> [2006-07-04 16:07]:
> My question is not only about ftp-proxy, i only used it to exemplify. My
> question is: if i tag a packet that is entering one interface and in the
> same rule (rdr pass, for example) i send this packet to an interface
> which is skipp
Joachim Schipper wrote:
> On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote:
>> Henning Brauer wrote:
>>> skip steps and set skip have noting to do with each other.
>>> set skip basically disables pf on a per-interface basis.
>>> skip steps is an optimization in rule processing yo
On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote:
> Henning Brauer wrote:
> >
> > skip steps and set skip have noting to do with each other.
> > set skip basically disables pf on a per-interface basis.
> > skip steps is an optimization in rule processing you can safely ignore.
>
Henning Brauer wrote:
>
> skip steps and set skip have noting to do with each other.
> set skip basically disables pf on a per-interface basis.
> skip steps is an optimization in rule processing you can safely ignore.
> it Just Works in the background and saves you CPU cycles :)
>
It does not have
* Nick Guenther <[EMAIL PROTECTED]> [2006-07-03 22:35]:
> unfortunate. It also doesn't help that the manpage say, next to, -s
> Rule:
> "Note that the ``skip step'' optimization done automatically by the
> kernel will skip evaluation of rules where possible." which seems to
> imply that `-s rules`
On 7/3/06, Nick Guenther <[EMAIL PROTECTED]> wrote:
On 7/3/06, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
> pfctl -sI -vv shows you if an interface is skipped or not.
-w is not documented in pfctl(8). What does it do?
It most certainly is.
Try -vv ('v' 'v', as in 'victor' 'victor'), avoid
Nick Guenther wrote:
> -w is not documented in pfctl(8). What does it do?
>
It is not -w it is -v that stands for -v(erbose). If you use it twice
(-vv) it increase the verbose level. It is in the pfctl man page.
My regards,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
On 7/3/06, Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
>
pfctl -sI -vv shows you if an interface is skipped or not.
My 2 cents,
-w is not documented in pfctl(8). What does it do?
On 7/3/06, Clint Pachl <[EMAIL PROTECTED]> wrote:
Henning Brauer wrote:
> * Daniel Ouellet <[EMAIL PROTECTED]>
Henning Brauer wrote:
* Daniel Ouellet <[EMAIL PROTECTED]> [2006-07-03 21:44]:
Is there a special reason why we couldn't see the
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
it is not a rule.
It is an option.
Would it be beneficial to add an "Option
Daniel Ouellet wrote:
>> If this was to be implemented, it might be more appropriate to show in
>> the
>> runtime state (pfctl -si) than the rule output.
>
> I don't know. May be may be not. But I got cut with this. I had a
> sysadmin do changes in a pretty big multi interface box and he use the
>
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
it is not a rule.
I guess one could argue that:
set block-policy option
is not a rule either, but it does show up however:
Example 1:
In pf.conf
set block-policy return
block all
pfctl -sr
block return
Indeed it does, but not by hacking up `-s rules`. pfctl(8) lists all
the various things you can display with -s. 'options' (as per
pf.conf(5)) do not seem to be among them, however, which I agree is
unfortunate. It also doesn't help that the manpage say, next to, -s
Rule:
"Note that the ``skip st
If this was to be implemented, it might be more appropriate to show in the
runtime state (pfctl -si) than the rule output.
I don't know. May be may be not. But I got cut with this. I had a
sysadmin do changes in a pretty big multi interface box and he use the
set skip to test new rules on indi
On 2006/07/03 16:26, Nick Guenther wrote:
> I don't know a lot about the architecture of pf (I plan to learn soon
> though) so maybe this is completely stupid, but I suggest adding modes
> for `pfctl -s` to match everything listed in pf.conf(5).
`-s config' to produce a usable pf.conf from in-memo
On 7/3/06, Daniel Ouellet <[EMAIL PROTECTED]> wrote:
> it is not a rule.
OK, not a rule, but still shouldn't it be possible or useful to see that
in effect? If you make changes for testing or what not and you use this
temporary, etc on a box of 10+ interfaces, just my thinking, but I was
expecti
it is not a rule.
OK, not a rule, but still shouldn't it be possible or useful to see that
in effect? If you make changes for testing or what not and you use this
temporary, etc on a box of 10+ interfaces, just my thinking, but I was
expecting to see this in display of how the pf was working.
From: [EMAIL PROTECTED]
> Is there a special reason why we couldn't see the
>
> set skip on interface
>
> in the display of the rules in pf with the regular:
>
> pfctl -sr
If this was to be implemented, it might be more appropriate to show in the
runtime state (pfctl -si) than the rule output.
* Daniel Ouellet <[EMAIL PROTECTED]> [2006-07-03 21:44]:
> Is there a special reason why we couldn't see the
>
> set skip on interface
>
> in the display of the rules in pf with the regular:
>
> pfctl -sr
it is not a rule.
--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mai
Is there a special reason why we couldn't see the
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
That's on 3.9.
19 matches
Mail list logo
