Re: confusion with the pf filter rule syntax

From: Test (me_at_here.com)
Date: 11/25/03 

Date: Mon, 24 Nov 2003 20:31:31 -0500

"Sameer" <ssnewsgroups@hotmail.com> wrote in message
news:9uhwb.12469$m84.3993464@news1.news.adelphia.net...
> this is what the FAQ says:
>
> action direction [log] [quick] on int [af] [proto protocol] from src_addr
> [port src_port] to dst_addr [port dst_port] [tcp_flags] [state]
>
> i'm a bit confused here. personally, i'm having issue with this "on int"
> and "from src_addr". to me this seems to be a redundancy, and, not matter
> how i tried to read it, i really can't see otherwise.
>
> why do you need to state an interface as well as a source address? won't
it
> suffice to simply state a source and a destination, thereby circumventing
> the "on int" portion?
>
> for example, say you are looking to allow packets outside a device with
the
> following parameters:
>
> outside interface, hme0 - 172.16.0.1
> inside interface, hme1 - 192.168.1.1
>
> can't you say,
>
> pass out from 192.168.1.1 proto tcp to any modulate state
>
> or
>
> pass out on hme1 proto tcp to 182.16.0.1 modulate state
>
> maybe i'm not understanding something that someone might see... so any
> explanation would be helpful.
>
> i know some will say "go away and don't bother us until you test it
> yourself" ... however, i really would like to understand the syntax
properly
> instead of being hit and miss with trial and error. the understanding is
> more important to me than getting it to work.

In short, it's a way of getting more granular with security.

It's optional, otherwise with <on if> it would generally apply to all
interfaces, unless otherwise specifified as such.

Relevant Pages

  • Re: Decorating html with javascript to avoid divitis?
    ... Layout CSS - how the content appears on the page and where ... Skin/Appearance CSS - how the content looks ... logos etc. in the interface. ... the difference between a small kid understanding something and not so ...
    (alt.html)
  • Re: wpa supplicant/ipw3945, ESSID last char missing
    ... My understanding was 6 months. ... the cost and pain to the user community of removing the old interface. ...
    (Linux-Kernel)
  • Re: FAQ Updates
    ... and stay relevant is to use a wiki interface with a set ... for the FAQ process to catch up with the rest of the web. ... simplified interface which I think is valuable for using the code. ... article for inclusion in the FAQ notes on any relevant subject. ...
    (comp.lang.javascript)
  • icmp-redirect and wi(4)
    ... And if possible get confirmed that my understanding of the IP fundamentals ... is in promisc mode; as either interface realized ...
    (freebsd-hackers)
  • Re: Newbie on using Modules
    ... How do I display the installed modules on UNIX ... the purpose of a FAQ is not just to passively list the questions ... Indeed most modules require no C compilation. ... documentation are you finding difficulty understanding? ...
    (comp.lang.perl.modules)