fix pf.conf prototype

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

fix pf.conf prototype

Cédric Berger-2
In rev 1.29 of /etc/pf.conf, "pass quick" has been replaced
by "set skip" for lo and $int_if.

I think that for lo, it makes a lot of sense to use set skip,
but for $int_if, it is a poor default choice, because it break
the subsequent ftp-proxy line:

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

if you uncomment the above line using /etc/pf.conf prototype, it
won't work and it's not obvious why. I therefore suggest
reverting part of the previous patch.

Cedric


--- pf.conf.orig        Thu Aug 25 20:00:51 2005
+++ pf.conf     Thu Aug 25 20:01:47 2005
@@ -10,7 +10,7 @@
  #table <spamd> persist
  #table <spamd-white> persist

-#set skip on { lo $int_if }
+#set skip on { lo }

  #scrub in

@@ -24,6 +24,7 @@
  #block in
  #pass out keep state

+#pass quick on { $int_if }
  #antispoof quick for { lo $int_if }

  #pass in on $ext_if proto tcp to ($ext_if) port ssh keep state