|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
match vs pass (changes in 4.7), and inet vs inet proto
I've upgraded one of my firewalls to 4.7 and have revised a few of the 'rdr pass' rules to reflect the syntax changes introduced in 4.7, but I'm not quite understanding why or when it would be appropriate to use match over pass in port redirection. Could someone enlighten me a bit? I've read the pf.conf man page but do better with practical examples when it comes to understanding concepts.
Also, I've read through the pf FAQ and man page trying to find out more about the inet declaration in the rules. I understand this is an address family, but the docs don't speak of it (that I can find) beyond that. In the pf FAQ I see example rules using it and others not in spite of these rules looking very similar, but don't understand why. Oops, the post title should have read "proto vs inet proto". Thanks for any responses.
__________________
Mike Last edited by mikesg; 25th May 2010 at 04:56 AM. |
|
||||
Quote:
So by specifying proto without inet, it includes inet and inet6. But by specifying inet you are excluding inet6 and vice versa?
__________________
Mike |
|
||||
"proto" refers to protocols within IPv4 or IPv6, such as ICMP, ESP, or TCP. A fairly complete list are found in /etc/protocols.
If your rule does not have an explicit family, it refers to both IPv4 and IPv6. If it has one, it is limited to that family. |
|
|||
Quote:
If you issue the command "pfctl -vv -sr |less" you will see things like the fact that a rule that doen't contain an inet or inet6 will expand to two rules, one for each. You'll probably get some extra clues about other operations from that command and its relatives. (man pfctl) |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
No redirection pass with one interface ? | Simon | OpenBSD Security | 11 | 8th March 2010 11:51 AM |
first match vs last match ruleset design (pf vs iptables) | zelut | FreeBSD Security | 5 | 12th July 2009 08:13 AM |
net.inet.ip.portrange.* | carpman | FreeBSD General | 10 | 27th May 2009 03:09 PM |
PF rdr pass question | nimnod | FreeBSD General | 2 | 1st May 2009 08:55 PM |
PF can't match on TOS? | ivanatora | FreeBSD General | 1 | 15th February 2009 10:34 AM |