Bump! On Sun, 13 Jun 2010 12:34:55 +0100, Stuart Henderson wrote:
>On 2010/06/13 21:01, Rod Whitworth wrote: >> On Sun, 13 Jun 2010 10:48:49 +0100, Stuart Henderson wrote: >> >> >On 2010/06/13 17:31, Rod Whitworth wrote: >> >> On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote: >> >> >> >> >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote: >> >> >> The rule: >> >> >> pass in on $int_if inet proto tcp to any port ftp \ >> >> >> rdr-to 127.0.0.1 port 8021 >> >> >> >> >> >> in the example ruleset on http://www.openbsd.org/faq/pf/example1.html >> >> >> does not work for active ftp from NATted hosts. >> >> >> >> >> >> There are three solutions which all work. >> >> >> >> >> >> A> make it "pass in quick ....." >> >> >> B> move the rule as-is to the end of the file. (Last match wins......) >> >> >> C.> move the rule up to the match rules and change "pass" to "match" >> >> >> >> >> >> Which do you prefer? >> >> >> >> >> > >> >> >if the point of that rule is the same as the point of the rule in >> >> >ftp-proxy(8), then the rule should really match the man page (which uses >> >> >"quick") or vice versa. >> >> >> >> Note that the ftp-proxy manpage does "pass in quick" with no interface >> >> limitation...... >> > >> >So what do you think, maybe 'pass in quick on !egress...' ? >> > >> >> Hmmm, now that I'm getting the hang of match, and it gets a lot of >> exposure in man pf.conf, I'm half inclined to change both the example >> ruleset AND ftp-proxy manpage to accept the spirit of the pf.conf >> descriptions. >> >> Particularly because it is another example of match usage that >> clarifies the pf.conf docs. >> >> The more examples the better, as long as they all do individual tasks. >> >> Of course you guys decide. > >match is a bit tricky when you're giving sample rules, because >it can be affected by rules either side of it - from that >perspective 'pass quick' rules are quite attractive. > >I'll look at a diff later if noone beats me to it. :) > *** NOTE *** Please DO NOT CC me. I <am> subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
