Re: Trying to understand stateful npf

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: Trying to understand stateful npf
From: Stephen Borrill <netbsd%precedence.co.uk@localhost>
Date: Mon, 15 Oct 2018 08:36:13 +0100 (BST)

On Sun, 14 Oct 2018, Maxime Villard wrote:

Le 12/10/2018 à 17:10, Stephen Borrill a écrit :

I'm trying to configure a ruleset to filter traffic bound for the outside
world and also allow an incoming port map. The ruleset can be seen below.
I would expect that the "pass stateful out" on the internal interface would
have allowed the packets back in past the "block in all" from 10.10.0.2
when replying. However, it does not.


your $trusted and $int_xennet0_addrs variables are unused, from here on I
can't know if you didn't forget entries and other things in your conf

The configs are autogenerated from a script which deals with manydifferent configurations (and allows switching between ipf and npf). Thoseunused variables happen not to be used in the example I gave, but as faras I'm aware, declaring unused variables is not a problem, i.e. theexample given is complete.


--
Stephen

References:
- Trying to understand stateful npf
  - From: Stephen Borrill
- Re: Trying to understand stateful npf
  - From: Maxime Villard

Prev by Date: Re: Trying to understand stateful npf
Next by Date: NPF ruleset limit in -7?
Previous by Thread: Re: Trying to understand stateful npf
Next by Thread: Re: Trying to understand stateful npf
Indexes:

Home | Main Index | Thread Index | Old Index