[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[doc-bug] pf faq instruction to allow loopback before antispoof is insufficient

To: bugs@openbsd.org
Subject: [doc-bug] pf faq instruction to allow loopback before antispoof is insufficient
From: Calyth <calyth2004@shaw.ca>
Date: Tue, 27 Apr 2004 05:57:09 -0700
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316

System: OpenBSD i386 3.4 Stable build following the update mini-faq
Synopsis: Instruction to allow loopback services in blocking spoofed 
address under Packet Filtering in PF FAQ is insufficient
Severity: Trivial
Priority: Low
Description:
Instruction in FAQ says to have the line " pass in quick on lo0 all" 
preceding antispoof on fxp0 inet. The quoted line would not allow 
loopback to function properly, with default deny policy, this will 
affect mail delivery, and all other loopback service (ie ssh localhost). 
All program reports "No route to host"
How to repeat:
Write a pf.conf such that it denies by default, and have "pass in quick 
on lo0 all" before an antispoof rule. Enable pf using pfctl. Check 
loopback by ssh localhost or telnet localhost 25, etc...
Fix:
Use "pass quick on lo0 all" instead

This seems quite trivial, but I was attempting to have local mail to 
root rediverted to an actual email account. Knowing that OpenBSD is 
supposed to send daily reports, I was surprised yet unable to figure out 
the problem until now.

Follow-Ups:
- Re: [doc-bug] pf faq instruction to allow loopback before antispoof is insufficient
  - From: Henning Brauer <lists-openbsdbugs@bsws.de>

Prev by Date: Fw: shed while you sleeep..
Next by Date: Re: Linking libc causes wrong results when casting double to long long
Prev by thread: Fw: shed while you sleeep..
Next by thread: Re: [doc-bug] pf faq instruction to allow loopback before antispoof is insufficient
Index(es):
- Date
- Thread