[ndbug] PF question
N.J. Thomas
njt at ayvali.org
Thu Apr 30 12:07:06 EDT 2015
* Hrishikesh Murukkathampoondi <hrishim at gmail.com> [2015-04-30 16:23:26+0530]:
> pass in on fxp0 from 10.0.0.0/8
> pass in on fxp0 from !10.1.2.3
>
> But doesn't PF apply the last matching rule? That means, in this
> example, 10.1.2.3 will be blocked (as desired) and any other address
> conforming to 10.0.0.0/8 will be passed through.
PF does apply the last matching rule, but I think you're
misunderstanding how it works.
Keep in mind that when pf is evaluating a packet, the following steps
are done:
- rules are evaluated sequentially
- there's an implicit "pass all" at the beginning of the filter
ruleset (so if the packet doesn't match anything, the resulting
action is pass)
- the last rule to match (the winner) dictates what action to take
on the packet
- for every rule, there is a match criterion and an action (block or
pass)
- unless you match against a quick rule, all rules are evaluated
before final action
So let's examine the rules, which I've labeled A and B:
A) pass in on fxp0 from 10.0.0.0/8
B) pass in on fxp0 from !10.1.2.3
There are two packets that can come in to these rules:
- a packet from 10.1.2.3
- a packet from anywhere else (i.e. not from 10.1.2.3)
If a packet comes in from 10.1.2.3: it matches rule A, since it is in
10/8. It does not match rule B. So the last matching rule was A, which
is a pass.
If a packet comes in that is not from 10.1.2.3, it will ALWAYS match
rule B. So regardless of whether or not rule A is matched, rule B is
always matched, so it will always pass.
The union of packets in 10.1.2.3 and packets not in 10.1.2.3 comprise
*ALL* addresses in the IPv4 space. So everything is matched.
What you want instead of this:
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
is this:
pass in on fxp0 from 10.0.0.0/8
block in on fxp0 from 10.1.2.3
This would pass in everything on 10.8, but block packets from 10.1.2.3.
hth,
Thomas
More information about the talk
mailing list