netbsd-users: Re: problems with pf

Subject: Re: problems with pf
To: None <netbsd-users@netbsd.org>
From: haad <haaaad@gmail.com>
List: netbsd-users
Date: 12/26/2005 21:29:08
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

George Georgalis wrote:
> On Mon, Dec 26, 2005 at 05:39:00PM +0100, Peter Postma wrote:
> 
>>On Mon, Dec 26, 2005 at 11:29:49AM -0500, George Georgalis wrote:
>>
>>The GENERIC kernels does not enable pf by default. You should either load
>>pf as LKM (modload /usr/lkm/pf.o) or add pf to your kernel config and
>>rebuild your kernel. On 3.0, you should not need pflkm from pkgsrc because
>>it's included in base now.
> 
> 
> okay, that module suits me fine and I can use my pf.conf file now :)
> 
> 
>>>Have I not included an important kernel option?
>>>
>>
>>No, you've added too much options ;-)
>>pf currently does not compile with the ALTQ options, because pf uses a
>>different ALTQ. There are currently two solutions: load pf as LKM and
>>compile the old ALTQ into the kernel, or apply my ALTQ patches[1] to the
>>kernel.
>>
>>[1] http://nedbsd.nl/~ppostma/pf/altq.html
> 
> 
> Oh excellent, that explains it. I'll try your patch when I'm at
> the get the ALTQ part working stage.
> 
> Now I'm working out my first BSD bridge, and I seem to have a
> misunderstanding of pf, in this test all traffic but dns should
> pass through,
> 
> if_dmz = fpx0
> if_net = fpx1
Problem is here because pf checks if packets matches these pass rules
,and doesn't look at your block rule.So try it in reverse order.[1]

 block on $if_net proto { tcp,udp } from any to any port 53
 pass in  quick on $if_dmz all
 pass out quick on $if_dmz all

[1]http://www.openbsd.org/faq/pf/index.html

> 
> but the block rule doesn't seem to stop anything... :-\
> What's wrong here?
> 
> // George
> 
> 
> 


- --
Adam Hamsik
tel.c 0904 937 495
ICQ 249727910
jabber haad@jabber.org
- --------------------------------------------------------------
There are 10 kinds of people in the world. Those who understand
binary numbers, and those who don't.
				
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (NetBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDsFKU9Wt2FT7y228RAgSIAKCKfaprM0eIEJJYZD23TOeWsMQgZwCgsGsx
UX25w2gnQTg/uOGWVu1czgE=
=JeQi
-----END PGP SIGNATURE-----