summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2002-10-13 15:51:56 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2002-10-13 15:51:56 +0000
commit2b1bd9bf154afa9021f271fb4777b0be09a8f7f0 (patch)
tree579688fc3dacf57a270cddf0c1774c357a918633 /share/man
parent80acfdcd2c2c67921292034dd84d88339ebfd5f5 (diff)
talk about lo0 issues
from Gregory Steuck greg at nest dot cx
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man5/pf.conf.518
1 files changed, 17 insertions, 1 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index e629559f88b..aa6becb9e72 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.93 2002/10/09 14:37:01 henning Exp $
+.\" $OpenBSD: pf.conf.5,v 1.94 2002/10/13 15:51:55 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -598,6 +598,7 @@ supports macro definition and expansion like:
.Pp
Macro names must start with a letter and may contain letters, digits
and underscores.
+Macro names may not be pf reserved words (e.g. pass, in, out).
Macros are not expanded recursively.
.Sh STATEFUL INSPECTION
.Em pf
@@ -801,6 +802,21 @@ expands to
block in on ! wi0 inet from 10.0.0.1/24 to any
block in inet from 10.0.0.1 to any
.Ed
+.Pp
+Caveat: Rules created by the
+.Pa antispoof
+directive interfere with packets sent over loopback interfaces
+to local addresses.
+One should pass these explicitely.
+.Sh FILTERING ON LOOPBACK INTERFACES
+There's hardly a point in filtering on loopback interfaces such as lo0.
+Every packet seen there is sent from and to the local host.
+One may want to include these rules at the very beginning
+of your ruleset to pass all traffic on lo0:
+.Bd -literal
+pass in quick on lo0 all
+pass out quick on lo0 all
+.Ed
.Sh FRAGMENT HANDLING
The size of IP datagrams (packets) can be significantly larger than the
the maximum transmission unit (MTU) of the network.