diff options
| author | Douglas Soares de Andrade <contato@douglasandrade.com> | 2015-06-18 18:09:18 -0300 |
|---|---|---|
| committer | Douglas Soares de Andrade <contato@douglasandrade.com> | 2015-06-18 18:09:18 -0300 |
| commit | f870ceba000ebb4a1f41384cf2b743c65924720d (patch) | |
| tree | 2690b2fe6adf68bd7f732eb7ae281e1b6bbce105 | |
| parent | a38963301e9c29fbe3232f0a41ea080b642c5ad2 (diff) | |
Fix the excludes rule for OS X Yosemite and OS X El Captain
Without this fix, the rdr rule is executed sending the packages that
should be excluded to the ssh tunnel.
What I did was make sure that the packages that are going to the
excluded subnets are processed first and only after that, the remaining
packages will be sent to the ssh tunnel.
Thanks Warr1024 on #openssh channel in freenode for telling me about
the quick keyword and the rest of guys in the channel who tried to help.
| -rw-r--r-- | src/firewall.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/firewall.py b/src/firewall.py index 3dad587..7c16b6a 100644 --- a/src/firewall.py +++ b/src/firewall.py @@ -499,7 +499,7 @@ def do_pf(port, dnsport, family, subnets, udp): exclude_subnets = filter(lambda s:s[2], sorted(subnets, reverse=True)) if exclude_subnets: tables.append('table <exclude_subnets> {%s}' % ','.join(["%s/%s" % (n[3], n[1]) for n in exclude_subnets])) - filtering_rules.append('pass out route-to lo0 inet proto tcp to <exclude_subnets> keep state') + filtering_rules.append('pass out quick proto tcp from any to <exclude_subnets> keep state') if dnsport: nslist = resolvconf_nameservers() |