[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rdr vs pass

To: <misc@openbsd.org>
Subject: Re: rdr vs pass
From: <jabbott@abbotts.org>
Date: Tue, 1 Mar 2005 15:41:41 -0600 (CST)

Hey, your name isn't Jeff is it?  :-)  You sound exactly like my co-worker.  He says the same thing, and to a certain point I agree with him.  But yet, not having the pass and block rules makes me really nervous.

--ja

On Tue, 1 Mar 2005, Rolen, Mark E. wrote:

> I'm unsure as to why you'd ever rdr traffic that you intended to block, so
> it used to peeve me to have to create pass rules to cover what I'd already
> redirected.  I was glad to see "rdr pass" come along.  Granted, I'm *not* a
> professional firewall guy, so there may be legit reasons to rdr and then
> block, and if so, I'd be curious to know 'em.
> 
>  
> 
> -----Original Message-----
> From: jabbott@abbotts.org [mailto:jabbott@abbotts.org] 
> Sent: Tuesday, March 01, 2005 3:14 PM
> To: Rolen, Mark E.
> Cc: misc@openbsd.org
> Subject: RE: rdr vs pass
> 
> 
> Right, that is what he is talking about.  What I am asking is; is this a
> good thing?  
> 
> --ja
> 
> On Tue, 1 Mar 2005, Rolen, Mark E. wrote:
> 
> > 
> > >On Tue, 2005-03-01 at 14:38:57 -0600, jabbott@abbotts.org proclaimed...
> > >> What is the opinion of the list?
> > >To redirect traffic IN on one interface OUT another, you need rdr.
> > >To permit this behavir, you ALSO a rule to permit/deny/etc.
> > 
> > 
> > 
> > In newer versions of pf, you can just:
> > 
> > rdr pass on $ext_if ....
> > 
> > and skip creating pass rules to cover the rdr.
> > 
> > Regards,
> > Mark
> > 
> > 
> >  
> > 
> 
> 

--

References:
- Re: rdr vs pass
  - From: "Rolen, Mark E." <MERolen@apacmail.com>

Prev by Date: Re: rdr vs pass
Next by Date: =?koi8-r?B?5+/y8f7h8SDw6ePj4Swg2sHL1dPLySwg08HMwdTZLCDOwdDJ1MvJIA==?==?koi8-r?B?1yDPxsnTIMkgzsHEz80g0M8g19PFyiDtz9PL18Ug2sEg3sHTLg==?=
Prev by thread: Re: rdr vs pass
Next by thread: Re: rdr vs pass
Index(es):
- Date
- Thread