Date: Wed, 8 May 2013 13:13:47 +0200 From: Damien Fleuriot <ml@my.gd> To: Ian FREISLICH <ianf@clue.co.za> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: skipto keyword in pf Message-ID: <47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E@my.gd> In-Reply-To: <E1UZiS3-00026B-Ep@clue.co.za> References: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org> <E1UZiS3-00026B-Ep@clue.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7 May 2013, at 16:01, Ian FREISLICH <ianf@clue.co.za> wrote: > Nomad Esst wrote: >>> Well, tags could help here. With a concrete example of what you want, it= >>> would be easier to suggest a solution. >>=20 >>> Regards. >>=20 >> Aren't anchors useful as David DeSimone said? >=20 > Yes they are. I used to do the following in ipfw: >=20 > 10 skipto 1200 ip from any to any in recv vlan2 > 20 skipto 1200 ip from any to any out xmit vlan2 > 30 skipto 1300 ip from any to any in recv vlan3 > 40 skipto 1300 ip from any to any out xmit vlan3 > 50 skipto 1400 ip from any to any in recv vlan4 > 60 skipto 1400 ip from any to any out xmit vlan4 > ... > 100 deny log ip from any to any > ... > 1200 vlan2 rules > ... > 1299 deny log ip from any to any > 1300 vlan3 rules > ... > 1399 deny log ip from any to any > 1400 vlan4 rules > ... > 1499 deny log ip from any to any >=20 >=20 > In pf I do the following: >=20 > anchor vlan2 quick on vlan2 > load anchor vlan2 from "/var/db/firewall/vlan2" > anchor vlan3 quick on vlan3 > load anchor vlan3 from "/var/db/firewall/vlan3" > anchor vlan4 quick on vlan4 > load anchor vlan4 from "/var/db/firewall/vlan4" >=20 Would you kindly elaborate on the quick keyword in conjunction with anchors ?= I would assume that makes all the rules within the anchor quick ? > and I put the rules for each vlan in their own file. as an example: If you only use anchors to cleanly split your rules, 9.x's PF supports inclu= des, by the way, a feature that's been missing for so long ;) Also, @OP: Note that if you use anchors, NAT and rdr rules need to be loaded like so: nat-anchor test rdr-anchor test anchor test load anchor test from "/etc/pf/anchor_test" Otherwise, don't be surprised if your NATs and RDRs mysteriously aren't appl= ied=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47F7A432-93AD-4E0B-B8F4-B0EAD2BA0D6E>