Re: confusion with the pf filter rule syntax

From: Daniel Hartmeier (daniel_at_benzedrine.cx)
Date: 11/24/03

  • Next message: Greg Hennessy: "Re: confusion with the pf filter rule syntax" 
    Date: 24 Nov 2003 07:20:05 GMT

    On Mon, 24 Nov 2003 06:24:05 GMT, Sameer wrote:

    > why do you need to state an interface as well as a source address? won't it
    > suffice to simply state a source and a destination, thereby circumventing
    > the "on int" portion?

    If there are relations between source addresses of packets and interfaces
    these packets pass in and out through, you'll have to express them in
    rules to enforce them, pf doesn't detect (and enforce) such relations
    otherwise (they don't exist in general).

    If certain source (or destination) addresses just don't (or shouldn't)
    occur on certain interfaces, people usually don't allow them with the
    ruleset.

    > outside interface, hme0 - 172.16.0.1
    > inside interface, hme1 - 192.168.1.1
    >
    > can't you say,
    >
    > pass out from 192.168.1.1 proto tcp to any modulate state

    This allows outgoing connections with source address 192.168.1.1
    on both hme0 and hme1. If, for instance, you're running NAT and
    translate all source addresses in 192.168.0.0/16 to 172.16.0.1
    on hme0, you DON'T expect connections with source address
    192.168.1.1 going out on hme0. Depends on whether hosts on
    the internal network are using the firewall as gateway, and
    whether it does NAT.

    The rule is legal syntax, though, if that's what you meant.
    You don't have to specify both 'on <if>' and 'to <addr>'
    in each rule. But you may. If a rule doesn't specify 'on <if>',
    it applies to all interfaces (including loopback and virtual
    interfaces).

    Daniel

  • Next message: Greg Hennessy: "Re: confusion with the pf filter rule syntax"

    Relevant Pages

    • Re: DNS problems going out
      ... Did you enable the DNS server on both interfaces? ... >>> Original Client IP Client Agent Authenticated Client Service Server Name ... >>> Referring Server Destination Host Name Transport MIME Type Object Source ...
      (microsoft.public.isa)
    • Two ftp deamons in same host
      ... listening on two interfaces or virtual ipaddress for ... the hme0. ...
      (SunManagers)
    • Re: Which version of Solaris/IPFilter ?
      ... interfaces are hme0 and dgc0. ... This might be the only hint somethings wrong with my pfil/ipf. ...
      (comp.unix.solaris)
    • Re: One NIC 100 full and second on 10 half
      ... in article 419e6564$0$90180$57c3e1d3@news3.bahnhof.se, Nils Strandberg at ... > The basic idea is correct, but only shows the code for hme0, ... Because both interfaces were configured in /etc/system at startup. ...
      (comp.unix.solaris)
    • AIX routing
      ... I have a RS/6000 with 3 interfaces, one of which is connected to a firewall. ... It appears all AIX routing is performed by destination ip address. ...
      (AIX-L)