3.8 pf.conf question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

3.8 pf.conf question

Rodney Hopkins
I was looking at the pf.conf included with 3.8, and with the
addition of the following line:

set skip on { lo }

doesn't the lo part of the following line become redundant:

antispoof quick for { lo $int_if }

assuming both lines are uncommented?

Thanks.

Rodney Hopkins
[hidden email]

_____________________________________________________________
Free E-mail by CamaroZ28.Com - FULL THROTTLE INTERNET

Reply | Threaded
Open this post in threaded view
|

Re: 3.8 pf.conf question

Eric Pancer
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...

> I was looking at the pf.conf included with 3.8, and with the
> addition of the following line:
>
> set skip on { lo }
>
> doesn't the lo part of the following line become redundant:
>
> antispoof quick for { lo $int_if }

It becomes irrelevant; after "set skip," nothing else will be evaluated for
that interface.

Reply | Threaded
Open this post in threaded view
|

Re: 3.8 pf.conf question

Moritz Grimm
eric wrote:

> On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...
>
>>I was looking at the pf.conf included with 3.8, and with the
>>addition of the following line:
>>
>>set skip on { lo }
>>
>>doesn't the lo part of the following line become redundant:
>>
>>antispoof quick for { lo $int_if }
>
> It becomes irrelevant; after "set skip," nothing else will be evaluated for
> that interface.

No, look at what antispoof expands to:

block drop in on ! lo inet from 127.0.0.1/8 to any
block drop in on ! lo inet6 from ::1 to any

That means "antispoof for lo" filters on all but the lo interface group.
The skipping on lo takes care of the "Caveat:" outlined in the man page,
though... it replaces the previously recommended "pass quick on lo" rule.


Moritz

Reply | Threaded
Open this post in threaded view
|

Re: 3.8 pf.conf question

Stuart Henderson
In reply to this post by Eric Pancer
--On 04 December 2005 14:27 -0600, eric wrote:

> On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...
>
>> I was looking at the pf.conf included with 3.8, and with the
>> addition of the following line:
>>
>> set skip on { lo }
>>
>> doesn't the lo part of the following line become redundant:
>>
>> antispoof quick for { lo $int_if }
>
> It becomes irrelevant; after "set skip," nothing else will be
> evaluated for that interface.

'antispoof for lo0' affects every interface other than lo0. From
pf.conf(5):

     For example, the line

           antispoof for lo0

     expands to

           block drop in on ! lo0 inet from 127.0.0.1/8 to any
           block drop in on ! lo0 inet6 from ::1 to any