[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: handling local traffic
From:       Justin Murdock <justin-work () quick-hacks ! co ! uk>
Date:       2012-01-30 13:23:47
Message-ID: 4F2699E3.2070500 () quick-hacks ! co ! uk
[Download RAW message or body]

I've been thinking about this for months (on and off) but as soon as I 
send the email a solution occurs to me. Typical.

On 30/01/2012 12:31, Justin Murdock wrote:
> OpenBSD 4.9 GENERIC.MP#819 amd64
>
> I'm not quite sure when things changed, but I can no longer apply 
> rules to locally originating traffic the following doesn't work as I 
> would wish]:
>
>     match out log received-on lo
I can, however, catch this traffic using
     match out log user != unknown

>
>     pass on $dmz to port {http, https, ssh}
>     block out on lo
>     pass out on lo from <trusted> to port ssh
>
similarly becomes:
     pass on $dmz to port {http, https, ssh}
     block in user != unknown
     pass in from <trusted> to port ssh user != unknown

> I feel I must be missing something, I'm just not sure what.
I'm not entirely comfortable with this - especially as the "... in ... 
user != unknown" construction depends on there being a listening socket 
- which could be quite interesting with the rdr-to interactions.

[prev in list] [next in list] [prev in thread] [next in thread]