[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-pf
Subject: Re: handling local traffic
From: Justin Murdock <justin-work () quick-hacks ! co ! uk>
Date: 2012-01-30 13:23:47
Message-ID: 4F2699E3.2070500 () quick-hacks ! co ! uk
[Download RAW message or body]
I've been thinking about this for months (on and off) but as soon as I
send the email a solution occurs to me. Typical.
On 30/01/2012 12:31, Justin Murdock wrote:
> OpenBSD 4.9 GENERIC.MP#819 amd64
>
> I'm not quite sure when things changed, but I can no longer apply
> rules to locally originating traffic the following doesn't work as I
> would wish]:
>
> match out log received-on lo
I can, however, catch this traffic using
match out log user != unknown
>
> pass on $dmz to port {http, https, ssh}
> block out on lo
> pass out on lo from <trusted> to port ssh
>
similarly becomes:
pass on $dmz to port {http, https, ssh}
block in user != unknown
pass in from <trusted> to port ssh user != unknown
> I feel I must be missing something, I'm just not sure what.
I'm not entirely comfortable with this - especially as the "... in ...
user != unknown" construction depends on there being a listening socket
- which could be quite interesting with the rdr-to interactions.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic