paulgorman.org

< ^ txt

Fri Jan 26 09:28:39 EST 2018 Slept from eleven to seven without waking. High of forty-eight and sunny today. Beautiful pink and orange sunrise this morning. Stopped at Starbucks on my way into work. Work: - Work on MECS A bit. https://doc.pfsense.org/index.php/What_are_Floating_Rules https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order > Rules are always processed from the top of a list down, first match wins (except for floating rules without quick set, see the next section). What? This completely defies my understanding of PF. I have always understood (and witnessed) PF to act as a last-match-wins firewall, except when a rule is marked "quick". Yes, I'm right: https://www.openbsd.org/faq/pf/filter.html > Filter rules are evaluated in sequential order, first to last. Unless the packet matches a rule containing the `quick` keyword, the packet will be evaluated against _all_ filter rules before the final action is taken. The last rule to match is the "winner" and will dictate what action to take on the packet. However, pfSense seems to have muddied the issue: - The interface and interface group tabs are first-match-wins - The floating tab is last-match-wins (like OpenBSD PF) unless the rule is marked "quick" So, behind the scenes, it seems like pfSense implicitly applies "quick" to all the interface rules. - Floating rules are processed first - Second, pfSense applies rules for interface groups - pfSense lastly applies rules on interfaces I also didn't know group rules apply before non-group interface rules. I was wrong; time to review our firewall rules. Oh, wow, prefix-w is great in tmux! My new parka arrived. It's good. Spent a while reading about Linux connection tracking. Home: - Continue nftables notes Done. - Fix dynamic IP updating on Nanook (and ssh!) No. A half-moon tonight. https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-do-i-use-a-browser-to-dynamically-update-the-hosts-ip > Please substitute these with appropriate values for host, domain, password and IP: > https://dynamicdns.park-your-domain.com/update?host=[host]&domain=[domain_name]&password=[ddns_password]&ip=[your_ip] > Please make sure you are using your Dynamic DNS password and not the Namecheap account's one. Why can't I ssh into Nanook from work or Clyde? Maybe because of the VPN? Watched the AlphaGo documentary on Netflix. A good variation on Kasparov and Deep Blue. Breakfast: cafe latte, sausage and egg sandwich Lunch: Taco Bell Dinner: chips

< ^ txt