Greetings, PF experts. I'm new to PF and quite intrigued by the "user = unknown" (or "user = root" or "user = ....") capability of PF. I've been doing a bit of testing and was hoping to find a pointer to some documentation that might help me understand my results a bit more clearly. Specifically, I have some rules that look like this:
set block-policy drop set optimization aggressive block log all block log all user != unknown pass out all user = unknown keep state [...] pass in proto tcp from foo to bar port = 22 user = unknown flags S/FSRPAUEW keep state pass in proto udp from abc to def pot = 123 user = unknown keep state [...] And so on, and so forth. Unfortunately, I haven't had consistent success with this strategy. Specifically, I've run into situations where the SSH or NTP traffic above is blocked by PF even though it should, theoretically, match the rules I've written. My pflogd output hasn't really help much because it doesn't show what pf thinks the user is. However, I think the problem is related to the "user = " logic because, if I remove the "user = unknown" bits from the rules above, pf permits the traffic. So... can anyone please provide some information on how pf decides who the user is associated with a given packet? The pf.conf man page reads: For forwarded connections, where the firewall is not a connection endpoint, the user and group are unknown. However, this doesn't seem to be the case on at least two of my test systems, which are running OpenBSD 3.3 (GENERIC#37 with some features stripped out, i.e. ipv6) and is blocking routed NTP connections (amongst other things) when "user = unknown" is part of the NTP rule. This also happen for some TCP connections as well, for what it's worth. The worst part is that a third system, running an identical kernel and similar rulesets, is not exhibiting the same behavior for a slightly different connection profile (it's routing primarily a home-grown TCP application). Thanks in advance. T.E. _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
