On Wed, May 12, 2004 at 09:43:40PM -0600, jared r r spiegel wrote:
> i just tested with may.10th snapshot ( #77 ) and it is as i mentioned before.
> using "block out from any to 216.239.41.99 user jrrs" to my pf.conf's bottom
> line nobody can communicate with (that) google (ip), via any protocol.
>
> changing it to "block out inet proto {tcp udp} from any to 216.239.41.99 user jrrs"
> and everyone can ping it, and telnet to it on port 80, except for jrrs.
Note that 'user' (and 'group') criteria are only relevant for TCP and
UDP packets. For all other protocols (ICMP, others), the user/group
criteria in the rule are simply ignored (that is, the rule matches when
it matches the remaining criteria).
So, the block rule without 'proto { tcp, udp }' will definitely block
ICMP for all users, as the restriction to user john is simply ignored
for non-TCP/UDP packets. To test user/group rules, don't use ping (ICMP),
but TCP connects (and consider related UDP DNS traffic when using symbolic
host names).
I don't see how adding 'proto { tcp, udp }' would change the behaviour
for TCP and UDP packets, though. Are you sure that's the case?
Daniel
