[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[doc-bug] pf faq instruction to allow loopback before antispoof is insufficient
- To: firstname.lastname@example.org
- Subject: [doc-bug] pf faq instruction to allow loopback before antispoof is insufficient
- From: Calyth <email@example.com>
- Date: Tue, 27 Apr 2004 05:57:09 -0700
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7b) Gecko/20040316
System: OpenBSD i386 3.4 Stable build following the update mini-faq
Synopsis: Instruction to allow loopback services in blocking spoofed
address under Packet Filtering in PF FAQ is insufficient
Instruction in FAQ says to have the line " pass in quick on lo0 all"
preceding antispoof on fxp0 inet. The quoted line would not allow
loopback to function properly, with default deny policy, this will
affect mail delivery, and all other loopback service (ie ssh localhost).
All program reports "No route to host"
How to repeat:
Write a pf.conf such that it denies by default, and have "pass in quick
on lo0 all" before an antispoof rule. Enable pf using pfctl. Check
loopback by ssh localhost or telnet localhost 25, etc...
Use "pass quick on lo0 all" instead
This seems quite trivial, but I was attempting to have local mail to
root rediverted to an actual email account. Knowing that OpenBSD is
supposed to send daily reports, I was surprised yet unable to figure out
the problem until now.