On 5/18/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> set skip on lo0
> set skip on $pfsync_if # might not want this
These two lines don't add up, the second one replaces the first,
so lo0 is not really skipped. Use a single set skip line, listing
all interfaces to be skipped at once.
Ah, that should be in the PF docs.
I was doing the same thing with lo0 and enc0.
antispoof after a default block is superfluous. It expands to non-quick
block rules. Any packet that could possibly match them has already
matched your default block rule above.
The expanded rules also don't have the 'log' option. Try and remove the
antispoof line and reproduce.
I noticed that one can do "log antispoof on ..."
Perhaps a quick option is also merited?
I'm adding this to my wish list, maybe one day I'll get around to
creating a diff against the PF FAQ and/or code. In the mean time, if
anyone comes across stuff that they feel should really go in the FAQ,
you can send me a quick note and I'll put it in with my set of
changes.
NOTE: I'm not the FAQ maintainer, just a pf enthusiast, short on time
but willing to do the work when time permits.
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
