IPF ipf use dhcp/pppoe interface ip in ruleset

pass out log all:

Why log all packets?

Where in your ruleset is this rule. Placement where it is in the ruleset matters, hugely. Also, quick rules are checked before this rule.

My VPN, using ssh, has an interface. Do you use IPsec? IPsec, designed with IPv6 in mind, has no concept of interfaces. Your choice of VPN software matters.
 
cy@ said:
pass out log all:

Why log all packets?

Where in your ruleset is this rule. Placement where it is in the ruleset matters, hugely. Also, quick rules are checked before this rule.

My VPN, using ssh, has an interface. Do you use IPsec? IPsec, designed with IPv6 in mind, has no concept of interfaces. Your choice of VPN software matters.
Click to expand...

Why not log all out packets ? Logging doesn't hurt and helps with troubleshooting. And as i am trying to understand what is happening i tend to log everything.

pass out all is at the end of the file. But as you said quick is checked before and i only have quick rules in the ruleset
 
I did some more troubleshooting



# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
# Rules
pass in quick on re0 proto tcp from {1.2.3.4 5.6.7.8} to re0/netmasked port = 22 flags S/SAFR keep state

pass in quick on re1.7 proto udp from any to re1.7/netmasked port = 67
pass in quick on re1.9 proto udp from any to re1.9/netmasked port = 67
pass in quick on re1.253 proto udp from any to re1.253/netmasked port = 67

# Guest
pass in quick on re1.253 out-via re0 proto tcp from any to any flags S/SAFR keep state
pass in quick on re1.253 out-via re0 proto udp from any to any keep state
pass in quick on re1.253 out-via re0 proto icmp from any to any keep state

# Cleanup Rule
block in log all
pass out log all



When using this ruleset /netmasked works and does not give me an error.
Why ? I will now add more rules step by step until i can reproduce the error. But the rest of the ruleset seems to be fine as it got applied with no error, when i removed the /netmasked

But what i don't understand. I have the rules
pass in quick on re1.253 out-via re0
re1.253 has the IP 10.111.253.254. re0 is the wan interface.
When i am at a workstation (e.g. 10.111.253.100) i can ssh to 10.111.253.254. Why ? This rule explicit has re0 as outgoing interface. So i don't understand why this rule applies and why i can access ssh on the router ?
What am i not unterstanding correctly
 
You must log in or register to reply here.
Back
Top