Date: Tue, 8 Sep 2015 13:45:46 -0400 From: "Derek (freebsd lists)" <482254ac@razorfever.net> To: freebsd-pf@freebsd.org Subject: pf, rdr, & anchors - broken or PEBKAC Message-ID: <55EF1ECA.3080508@razorfever.net>
next in thread | raw e-mail | index | archive | help
Hi! I'm trying to configure a basic layer-3 load balancer (10.2-RELEASE). I initially started down this path with relayd from ports, as it seems to do what I need, very succinctly. What I've stumbled upon - I hope - is me not knowing how to cause rdr statements in anchors to be evaluated, although it appears that this functionality is currently broken. Take this contrived, most-trivial example (where 192.168.0.1 is external, and 10.2.2.251 is internal): /etc/pf.conf: rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251 sudo pfctl -Fa -f /etc/pf.conf *everything works as expected* Now, this time using anchors: sudo mv /etc/pf.conf /etc/pf.conf-anchor /etc/pf.conf: anchor testing load anchor testing from "/etc/pf.conf-anchor" sudo pfctl -Fa -f /etc/pf.conf gives TCP RSTs when connecting to port 80. Additionally sudo pfctl -a testing -vvs nat: @0 rdr inet proto tcp from any to 192.168.0.1 port = http -> 10.2.2.251 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56764 State Creations: 0 ] So identical rulesets, one loaded as an anchor: never evaluated, the other loaded into the main ruleset directly: works fine. Is this broken, or am I missing something? Thanks! Derek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55EF1ECA.3080508>