From owner-freebsd-pf@FreeBSD.ORG Wed May 8 11:32:47 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 49341700 for ; Wed, 8 May 2013 11:32:47 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from zcs04.jnb1.cloudseed.co.za (zcs04.jnb1.cloudseed.co.za [41.154.0.161]) by mx1.freebsd.org (Postfix) with ESMTP id D8820903 for ; Wed, 8 May 2013 11:32:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTP id 592452A83042; Wed, 8 May 2013 13:32:38 +0200 (SAST) X-Virus-Scanned: amavisd-new at zcs04.jnb1.cloudseed.co.za Received: from zcs04.jnb1.cloudseed.co.za ([127.0.0.1]) by localhost (zcs04.jnb1.cloudseed.co.za [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MX6-afxozIZ1; Wed, 8 May 2013 13:32:37 +0200 (SAST) Received: from clue.co.za (unknown [41.154.88.19]) by zcs04.jnb1.cloudseed.co.za (Postfix) with ESMTPSA id 8CDF92A830E1; Wed, 8 May 2013 13:32:37 +0200 (SAST) Received: from localhost ([127.0.0.1] helo=zen.clue.co.za) by clue.co.za with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Ua2bs-000NGQ-Ij; Wed, 08 May 2013 13:32:36 +0200 To: Damien Fleuriot From: Ian FREISLICH Subject: Re: skipto keyword in pf In-Reply-To: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> References: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> X-Attribution: BOFH Date: Wed, 08 May 2013 13:32:36 +0200 Message-Id: Cc: "freebsd-pf@freebsd.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 May 2013 11:32:47 -0000 Damien Fleuriot wrote: > > anchor vlan4 quick on vlan4 > > load anchor vlan4 from "/var/db/firewall/vlan4" > > Would you kindly elaborate on the quick keyword in conjunction with anchors ? According to the manual: Matching filter and translation rules marked with the quick option are final and abort the evaluation of the rules in other anchors and the main ruleset. If the anchor itself is marked with the quick option, ruleset evaluation will terminate when the anchor is exited if the packet is matched by any rule within the anchor. > > and I put the rules for each vlan in their own file. as an example: > > If you only use anchors to cleanly split your rules, 9.x's PF supports inclu= > des, by the way, a feature that's been missing for so long ;) I use it to segment my rules per interface. include won't have the same effect in this instance. > Also, @OP: > Note that if you use anchors, NAT and rdr rules need to be loaded like so: > > nat-anchor test > rdr-anchor test > anchor test > load anchor test from "/etc/pf/anchor_test" > > Otherwise, don't be surprised if your NATs and RDRs mysteriously > aren't applied I haven't experienced this and I have loads of anchors and NAT and RDRs that aren't loaded in an anchor. Perhaps I have too much traffic to tell if some of it bypasses a NAT rule, but as far as I can tell it doesn't. Ian -- Ian Freislich