On Mon, Jan 16, 2017 at 11:04:48PM +0000, Luke Small wrote:
> I'm trying to have pf limit sending TCP packets over lo0 from a specific
> user. I made some rules, but they seem to be ignored when I check on pfctl
> -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
> proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
> "block out quick on lo0 proto {tcp,udp} from self to any port 6379"
> obviously I'm using redis. Redis has authentication, but I think it'd be
> cool to have that extra layer of protection.hm. "Beware of quick rules, for they fsck with the regular ruleset evaluation logic". Without more context it's hard to tell whether that is your actual problem, but keep in mind that once a quick rule matches, evaluation stops right there and further rules are simply not evaluated for the packet. Also as Sebastien mentioned do check for any "set skip on lo" or similar in your ruleset. If you have that, filtering simply does not happen on interfaces or interface groups in the "set skip" rule. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
