(Resending, I fessed up the inline reply)
Arigato gojaimas Trondd san for your very helpful reply.
I had understood from the documentation that tags were sticky. I also
understood that a packet can only have zero or one tag at any time.
Also, that a tag cannot be removed, but only replaced.
Arigato gojaimas Trondd san for your very helpful reply.
Sent: Thursday, January 11, 2018 at 3:17 AM
From: trondd <tro...@kagu-tsuchi.com>
To: "Aham Brahmasmi" <aham.brahma...@gmx.com>
Cc: misc@openbsd.org
Subject: Re: Probable mistake in PF tagging example ruleset or
On Wed, January 10, 2018 2:44 pm, Aham Brahmasmi wrote:
> Hi,
>
> I am trying to learn and understand the pf tagging mechanism. I was
> wondering whether my understanding of the order in the example at
> https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, the
Hi,
I am trying to learn and understand the pf tagging mechanism. I was
wondering whether my understanding of the order in the example at
https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then
there might be a mistake in the order. The relevant lines are
...
pass out on egress
Hi misc,
My PF box hae 3 network cards. (Squid is also ruuning on this PF box)
Wan1 , Wan2 and LAN
I want LAN users to reach Specific Destination IPs via Wan1, when they
browse squid proxy. Everything else via Wan2. ( /etc/mygate has been set
to Wan2 router ip )
Lan users' Internet browsers
* andy a...@brandwatch.com [2014-09-02 21:12]:
Hoping this is a pretty dumb question and someone can just shoot me down
with an instant answer but is there any reason why I can't compare against
multiple tags?
because list expansion for that case is not implemented in the parser.
not hard to
On Tue, 02 Sep 2014 18:33:02 -0300, Giancarlo Razzolini
grazzol...@gmail.com wrote:
On 02-09-2014 17:12, andy wrote:
So why does;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
NOT expand out to;
pass out quick on $if_ext tagged T_LAN keep state
pass out quick on $if_ext
On 03-09-2014 09:08, andy wrote:
The DMZ was just an example.. We can call it anything ;)
I'm just trying to ask why this doesn't work;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
It gets a PF syntax error? Why?
Thanks for your time, Andy.
I replied before without access
On Wed, 03 Sep 2014 09:33:24 -0300, Giancarlo Razzolini
grazzol...@gmail.com wrote:
On 03-09-2014 09:08, andy wrote:
The DMZ was just an example.. We can call it anything ;)
I'm just trying to ask why this doesn't work;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
It gets a
On 2014-09-03, andy a...@brandwatch.com wrote:
I'm just trying to ask why this doesn't work;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
It gets a PF syntax error? Why?
It's just not implemented in the parser in pfctl, it shouldn't be
terribly hard to add..
On Wed, 3 Sep 2014 21:41:48 + (UTC), Stuart Henderson
s...@spacehopper.org wrote:
On 2014-09-03, andy a...@brandwatch.com wrote:
I'm just trying to ask why this doesn't work;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
It gets a PF syntax error? Why?
It's just not
Oooo, thats an exciting possibility :)
Any opportunities for reducing PF rule sets is always great.
Yes, Indeed. +1
--
cat /etc/motd
Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala
Fonts
Hi,
Hoping this is a pretty dumb question and someone can just shoot me down
with an instant answer but is there any reason why I can't compare against
multiple tags?
E.g.
pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
queue (_wan_dflt,_wan_pri) set prio (1,4) keep
On 02-09-2014 16:10, andy wrote:
Hi,
Hoping this is a pretty dumb question and someone can just shoot me down
with an instant answer but is there any reason why I can't compare against
multiple tags?
E.g.
pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI, T_OPS }
queue
2014-09-02 23:10 GMT+04:00 andy a...@brandwatch.com:
Hi,
Hoping this is a pretty dumb question and someone can just shoot me down
with an instant answer but is there any reason why I can't compare against
multiple tags?
E.g.
pass out quick on $if_dmz tagged { T_LAN, T_ENGINEERING, T_WIFI,
On Tue, 02 Sep 2014 16:28:27 -0300, Giancarlo Razzolini
grazzol...@gmail.com wrote:
On 02-09-2014 16:10, andy wrote:
Hi,
Hoping this is a pretty dumb question and someone can just shoot me
down
with an instant answer but is there any reason why I can't compare
against
multiple tags?
E.g.
On 02-09-2014 16:32, andy wrote:
Yes I wouldn't expect to be able to apply more than one tag, I'm asking
about checking for multiple matching tags?
I.e pass out of the packet is 'tagged' with XXX or YYY or ZZZ.
But that's the point. If you assign a packet with multiple tags, only
the last one
On Tue, 02 Sep 2014 16:37:38 -0300, Giancarlo Razzolini
grazzol...@gmail.com wrote:
On 02-09-2014 16:32, andy wrote:
Yes I wouldn't expect to be able to apply more than one tag, I'm asking
about checking for multiple matching tags?
I.e pass out of the packet is 'tagged' with XXX or YYY or
On 02-09-2014 17:12, andy wrote:
So why does;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
NOT expand out to;
pass out quick on $if_ext tagged T_LAN keep state
pass out quick on $if_ext tagged T_DMZ keep state
I didn't tested. But if I recall correctly, that rule will expand
* Claudio Jeker cje...@diehard.n-r-g.com [2009-11-13 18:19]:
nat-to and rdr-to on pass rules are only applied if it is the last
matching rule. for match rules they're always applied.
Maybe something like this. The result are that you need to have a
pass tagged FTPTAG rule after the anchor
Henning Brauer wrote:
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
tagged rules are handled. It's breaking ftp-proxy with tagging
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]:
Henning Brauer wrote:
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
tagged
On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote:
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]:
Henning Brauer wrote:
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I
Claudio Jeker wrote:
On Fri, Nov 13, 2009 at 05:44:41PM +0100, Henning Brauer wrote:
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 17:37]:
Henning Brauer wrote:
* Bryan S. Leaman lea...@bitbytes.com [2009-11-13 01:12]:
I'm converting a pf ruleset to work with the
I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6
-current and I came across an issue that seems like a problem in the way
tagged rules are handled. It's breaking ftp-proxy with tagging when I
try to apply additional rules to the tagged packets. The result is that I
can
I try to tag a connection on the wan_if and
accordingly on the tag I'll restrict the
access on an other interface like.
an example ...
pass in quick on wan_if proto tcp from nuser to port 1194 tag NORM
keep state
pass in quick on wan_if proto tcp from puser to port 1194 tag POWER
keep state
hi
you only tag the package to port 1194 in both case and you are allowing only
tagged packaged to ports 22, 80, 443
David
2005/11/11, Karl-Heinz Wild [EMAIL PROTECTED]:
I try to tag a connection on the wan_if and
accordingly on the tag I'll restrict the
access on an other interface like.
27 matches
Mail list logo