* Giancarlo Razzolini [EMAIL PROTECTED] [2006-07-04 16:07]:
My question is not only about ftp-proxy, i only used it to exemplify. My
question is: if i tag a packet that is entering one interface and in the
same rule (rdr pass, for example) i send this packet to an interface
which is skipped by
On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote:
Henning Brauer wrote:
skip steps and set skip have noting to do with each other.
set skip basically disables pf on a per-interface basis.
skip steps is an optimization in rule processing you can safely ignore.
it Just
Joachim Schipper wrote:
On Mon, Jul 03, 2006 at 09:15:15PM -0300, Giancarlo Razzolini wrote:
Henning Brauer wrote:
skip steps and set skip have noting to do with each other.
set skip basically disables pf on a per-interface basis.
skip steps is an optimization in rule processing you can
* Daniel Ouellet [EMAIL PROTECTED] [2006-07-03 21:44]:
Is there a special reason why we couldn't see the
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
it is not a rule.
--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail
From: [EMAIL PROTECTED]
Is there a special reason why we couldn't see the
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
If this was to be implemented, it might be more appropriate to show in the
runtime state (pfctl -si) than the rule output.
DS
it is not a rule.
OK, not a rule, but still shouldn't it be possible or useful to see that
in effect? If you make changes for testing or what not and you use this
temporary, etc on a box of 10+ interfaces, just my thinking, but I was
expecting to see this in display of how the pf was
On 7/3/06, Daniel Ouellet [EMAIL PROTECTED] wrote:
it is not a rule.
OK, not a rule, but still shouldn't it be possible or useful to see that
in effect? If you make changes for testing or what not and you use this
temporary, etc on a box of 10+ interfaces, just my thinking, but I was
expecting
On 2006/07/03 16:26, Nick Guenther wrote:
I don't know a lot about the architecture of pf (I plan to learn soon
though) so maybe this is completely stupid, but I suggest adding modes
for `pfctl -s` to match everything listed in pf.conf(5).
`-s config' to produce a usable pf.conf from in-memory
If this was to be implemented, it might be more appropriate to show in the
runtime state (pfctl -si) than the rule output.
I don't know. May be may be not. But I got cut with this. I had a
sysadmin do changes in a pretty big multi interface box and he use the
set skip to test new rules on
Indeed it does, but not by hacking up `-s rules`. pfctl(8) lists all
the various things you can display with -s. 'options' (as per
pf.conf(5)) do not seem to be among them, however, which I agree is
unfortunate. It also doesn't help that the manpage say, next to, -s
Rule:
Note that the ``skip
Daniel Ouellet wrote:
If this was to be implemented, it might be more appropriate to show in
the
runtime state (pfctl -si) than the rule output.
I don't know. May be may be not. But I got cut with this. I had a
sysadmin do changes in a pretty big multi interface box and he use the
set skip
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
it is not a rule.
I guess one could argue that:
set block-policy option
is not a rule either, but it does show up however:
Example 1:
In pf.conf
snip
set block-policy return
block all
snip
pfctl -sr
snip
Henning Brauer wrote:
* Daniel Ouellet [EMAIL PROTECTED] [2006-07-03 21:44]:
Is there a special reason why we couldn't see the
set skip on interface
in the display of the rules in pf with the regular:
pfctl -sr
it is not a rule.
It is an option.
Would it be beneficial to add an Options
On 7/3/06, Giancarlo Razzolini [EMAIL PROTECTED] wrote:
pfctl -sI -vv shows you if an interface is skipped or not.
My 2 cents,
-w is not documented in pfctl(8). What does it do?
On 7/3/06, Clint Pachl [EMAIL PROTECTED] wrote:
Henning Brauer wrote:
* Daniel Ouellet [EMAIL PROTECTED]
Nick Guenther wrote:
-w is not documented in pfctl(8). What does it do?
It is not -w it is -v that stands for -v(erbose). If you use it twice
(-vv) it increase the verbose level. It is in the pfctl man page.
My regards,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
On 7/3/06, Nick Guenther [EMAIL PROTECTED] wrote:
On 7/3/06, Giancarlo Razzolini [EMAIL PROTECTED] wrote:
pfctl -sI -vv shows you if an interface is skipped or not.
-w is not documented in pfctl(8). What does it do?
It most certainly is.
Try -vv ('v' 'v', as in 'victor' 'victor'), avoid
* Nick Guenther [EMAIL PROTECTED] [2006-07-03 22:35]:
unfortunate. It also doesn't help that the manpage say, next to, -s
Rule:
Note that the ``skip step'' optimization done automatically by the
kernel will skip evaluation of rules where possible. which seems to
imply that `-s rules` has
Henning Brauer wrote:
skip steps and set skip have noting to do with each other.
set skip basically disables pf on a per-interface basis.
skip steps is an optimization in rule processing you can safely ignore.
it Just Works in the background and saves you CPU cycles :)
It does not have much
18 matches
Mail list logo
