From owner-freebsd-pf@FreeBSD.ORG Tue May 7 14:01:13 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 666749B8 for ; Tue, 7 May 2013 14:01:13 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs03.jnb1.cloudseed.co.za (zcs03.jnb1.cloudseed.co.za [41.154.0.139]) by mx1.freebsd.org (Postfix) with ESMTP id 00C949C2 for ; Tue, 7 May 2013 14:01:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTP id 648BF2B430C9; Tue, 7 May 2013 16:01:09 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs03.jnb1.cloudseed.co.za Received: from zcs03.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs03.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTlEYfR2-86j; Tue, 7 May 2013 16:01:08 +0200 (SAST) Received: from clue.co.za (unknown [197.87.27.46]) by zcs03.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 5364C2B430C7; Tue, 7 May 2013 16:01:08 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=zen.clue.co.za) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UZiS3-00026B-Ep; Tue, 07 May 2013 16:01:07 +0200 To: Nomad Esst From: Ian FREISLICH Subject: Re: skipto keyword in pf In-Reply-To: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> References: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> X-Attribution: BOFH Date: Tue, 07 May 2013 16:01:06 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2013 14:01:13 -0000 Nomad Esst wrote: > >Well, tags could help here. With a concrete example of what you want, it > >would be easier to suggest a solution. > > >Regards. > > Aren't anchors useful as David DeSimone said? Yes they are. I used to do the following in ipfw: 10 skipto 1200 ip from any to any in recv vlan2 20 skipto 1200 ip from any to any out xmit vlan2 30 skipto 1300 ip from any to any in recv vlan3 40 skipto 1300 ip from any to any out xmit vlan3 50 skipto 1400 ip from any to any in recv vlan4 60 skipto 1400 ip from any to any out xmit vlan4 ... 100 deny log ip from any to any ... 1200 vlan2 rules ... 1299 deny log ip from any to any 1300 vlan3 rules ... 1399 deny log ip from any to any 1400 vlan4 rules ... 1499 deny log ip from any to any In pf I do the following: anchor vlan2 quick on vlan2 load anchor vlan2 from "/var/db/firewall/vlan2" anchor vlan3 quick on vlan3 load anchor vlan3 from "/var/db/firewall/vlan3" anchor vlan4 quick on vlan4 load anchor vlan4 from "/var/db/firewall/vlan4" and I put the rules for each vlan in their own file. as an example: ----- tcpports = "{ http, https }" udpports = "{ snmp }" # Proxy Network block return out log all pass out proto tcp from any to any port $tcpports pass out proto tcp from to any port ssh pass out proto udp from any to any port $udpports pass out proto udp from port 123 to any pass out proto vrrp from any to any pass out proto icmp from any to any pass out proto tcp from to any port { 3128, 8080, 10050 } pass in all pass in proto tcp from any to any port { 80 } queue vlan25_out ----- Rules are evaluated when there is no matching state. Rules are evaluated in order. The *last* rule to match is used. > Another question, is it possible to negate a rule or feature in a > rule? I mean pass all traffic which DO NOT match the rule ? e.g. using > "!" sign. You can. As an example a transpanent proxy interception rule: rdr on vlan5 inet proto tcp from ! to ! port 80 -> port 3128 I highly suggest you read the pf.conf manual page. It has a lot of good instructions and useful information, particularly the rule grammar at the end of the page. Ian -- Ian Freislich