List Info

Thread: pfctl -i
pfctl -i
country flaguser name
Estonia		 2007-08-14 16:46:48 
pfctl man page says:

-i interface
             Restrict the operation to the given interface.

..what exactly is meant under the word "operation"
?

My problem: I want to load a different ruleset for each
interface
( jails ) and not care about what's in the ruleset as long
as it doesn't
affect anything outside the jail ( which is bound to a
specific ip on a
seperate interface )

I tried loading pfctl -i lo1 -f test.fire which contained
"block quick
all" ..which promptly killed everything :/

And no, it's not about using the loopback interface.. same
goes for
"real" interfaces like nve & fxp. Neither does
it restrict you from
loading "block quick on another_iterface all" and
still killing
everything..

OpenBSD seems to act the same, so it's probably not an
porting bug.



_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: pfctl -i
user name
 2007-08-14 19:13:23 
On 8/14/07, Toomas Pelberg <toomasdetalem.cq.hk> wrote:
> pfctl man page says:
>
> -i interface
>              Restrict the operation to the given
interface.
>
> ..what exactly is meant under the word
"operation" ?

This would be one of those things that is obvious once
you've seen an example
and thought about it for a while.

$sudo pfctl -si |grep -A1 State
State Table                          Total             Rate
  current entries                    34056
$sudo pfctl -i vlan170 -ss |wc -l
    1172

In this case, only show states bound to the vlan170
interface.

> My problem: I want to load a different ruleset for each
interface
> ( jails ) and not care about what's in the ruleset as
long as it doesn't
> affect anything outside the jail ( which is bound to a
specific ip on a
> seperate interface )

You probably want to look into anchors.

-- 
Jon
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
Re: pfctl -i
country flaguser name
Estonia		 2007-08-14 20:48:34 
On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote:
> On 8/14/07, Toomas Pelberg <toomasdetalem.cq.hk> wrote:
> > pfctl man page says:
> >
> > -i interface
> >              Restrict the operation to the given
interface.
> >
> > ..what exactly is meant under the word
"operation" ?
> 
> This would be one of those things that is obvious once
you've seen an example
> and thought about it for a while.
> 
> $sudo pfctl -si |grep -A1 State
> State Table                          Total            
Rate
>   current entries                    34056
> $sudo pfctl -i vlan170 -ss |wc -l
>     1172

So -i only works in combination with -s ? If so, i think it
should be
mentioned
in the man page.

> In this case, only show states bound to the vlan170
interface.
> 
> > My problem: I want to load a different ruleset for
each interface
> > ( jails ) and not care about what's in the ruleset
as long as it doesn't
> > affect anything outside the jail ( which is bound
to a specific ip on a
> > seperate interface )
> 
> You probably want to look into anchors.

While I can use an anchor to limit to the interface, it's an
rather ugly
hack.
Care to show an elegant solution how to anchor unspecified
number of
user rules?

I could just as well pass over the supplied ruleset with an
perl script
that skips
any rules not starting with pass/block in/out on
jail_interface.

pfctl -i & -f combo would've been great for this
purpose.

_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1-3]

about | contact  Other archives ( Real Estate discussion Medical topics )