DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th May 2010
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 28
Default match vs pass (changes in 4.7), and inet vs inet proto

I've upgraded one of my firewalls to 4.7 and have revised a few of the 'rdr pass' rules to reflect the syntax changes introduced in 4.7, but I'm not quite understanding why or when it would be appropriate to use match over pass in port redirection. Could someone enlighten me a bit? I've read the pf.conf man page but do better with practical examples when it comes to understanding concepts.

Also, I've read through the pf FAQ and man page trying to find out more about the inet declaration in the rules. I understand this is an address family, but the docs don't speak of it (that I can find) beyond that. In the pf FAQ I see example rules using it and others not in spite of these rules looking very similar, but don't understand why. Oops, the post title should have read "proto vs inet proto".

Thanks for any responses.
__________________
Mike

Last edited by mikesg; 25th May 2010 at 04:56 AM.
Reply With Quote
  #2   (View Single Post)  
Old 25th May 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

match is used when you want a rule to match but do not necessarily want either a pass or a block to apply right then and there, you will either already have it (such as a pass all) or will apply a pass rule if applicable later.You can use a label with it for use in later policy based filtering rules, too. Commonly used for NAT rules, port redirection rules, or tagged base policy filtering.

The inet family is one of two families supported by pf. The other is inet6. The purpose is so that you can have different rules apply to IPv4 and IPv6, if necessary. Commonly used when tunnelling IPv6 under IPv4, or IPv4 under IPv6.
Reply With Quote
  #3   (View Single Post)  
Old 25th May 2010
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 28
Default

Quote:
Originally Posted by jggimi View Post
match is used when you want a rule to match but do not necessarily want either a pass or a block to apply right then and there, you will either already have it (such as a pass all) or will apply a pass rule if applicable later.You can use a label with it for use in later policy based filtering rules, too. Commonly used for NAT rules, port redirection rules, or tagged base policy filtering.
Thanks, that makes sense.

Quote:
Originally Posted by jggimi View Post
The inet family is one of two families supported by pf. The other is inet6. The purpose is so that you can have different rules apply to IPv4 and IPv6, if necessary. Commonly used when tunnelling IPv6 under IPv4, or IPv4 under IPv6.
So by specifying proto without inet, it includes inet and inet6. But by specifying inet you are excluding inet6 and vice versa?
__________________
Mike
Reply With Quote
  #4   (View Single Post)  
Old 25th May 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

"proto" refers to protocols within IPv4 or IPv6, such as ICMP, ESP, or TCP. A fairly complete list are found in /etc/protocols.

If your rule does not have an explicit family, it refers to both IPv4 and IPv6. If it has one, it is limited to that family.
Reply With Quote
  #5   (View Single Post)  
Old 12th June 2010
Loki Loki is offline
Port Guard
 
Join Date: Nov 2008
Location: Sydney
Posts: 11
Default

Quote:
Originally Posted by jggimi View Post
"proto" refers to protocols within IPv4 or IPv6, such as ICMP, ESP, or TCP. A fairly complete list are found in /etc/protocols.

If your rule does not have an explicit family, it refers to both IPv4 and IPv6. If it has one, it is limited to that family.
In addition, a point not obvious for beginners (and even some experienced users!):

If you issue the command "pfctl -vv -sr |less" you will see things like the fact that a rule that doen't contain an inet or inet6 will expand to two rules, one for each.

You'll probably get some extra clues about other operations from that command and its relatives. (man pfctl)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
No redirection pass with one interface ? Simon OpenBSD Security 11 8th March 2010 11:51 AM
first match vs last match ruleset design (pf vs iptables) zelut FreeBSD Security 5 12th July 2009 08:13 AM
net.inet.ip.portrange.* carpman FreeBSD General 10 27th May 2009 03:09 PM
PF rdr pass question nimnod FreeBSD General 2 1st May 2009 08:55 PM
PF can't match on TOS? ivanatora FreeBSD General 1 15th February 2009 10:34 AM


All times are GMT. The time now is 11:14 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick