On Tue, Jul 01, 2003 at 09:17:30PM -0400, T. wrote: > And so on, and so forth. Unfortunately, I haven't had consistent success with this > strategy. Specifically, I've run into situations where the SSH or NTP traffic above > is blocked by PF even though it should, theoretically, match the rules I've written. > My pflogd output hasn't really help much because it doesn't show what pf thinks the > user is. However, I think the problem is related to the "user = " logic because, if > I remove the "user = unknown" bits from the rules above, pf permits the traffic.
Hmm, I think there is a bug for 'user = unknown', while 'user != unknown' works. I'll have to check more closely. If you only want to pass forwarded connections, you can work around the problem with something like block log quick all user != unknown pass out all keep state pass in proto tcp from foo to bar port = 22 flags S/FSRPAUEW keep state ... The 'quick' option on the block rule will abort ruleset evalution for packets with known user (connections originating from or ending on the firewall), hence you don't need the 'user = unknown' on subsequent rules anymore. Daniel
