Date: Tue, 07 May 2013 16:01:06 +0200 From: Ian FREISLICH <ianf@clue.co.za> To: Nomad Esst <noname.esst@yahoo.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: skipto keyword in pf Message-ID: <E1UZiS3-00026B-Ep@clue.co.za> In-Reply-To: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> References: <1367641777.53540.YahooMailNeo@web162702.mail.bf1.yahoo.com> <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> <20130501235946.GS6396@verio.net> <1367474077.47142.YahooMailNeo@web162705.mail.bf1.yahoo.com> <20130502131038.72cc6020@davenulle.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Nomad Esst wrote:
> >Well, tags could help here. With a concrete example of what you want, it
> >would be easier to suggest a solution.
>
> >Regards.
>
> Aren't anchors useful as David DeSimone said?
Yes they are. I used to do the following in ipfw:
10 skipto 1200 ip from any to any in recv vlan2
20 skipto 1200 ip from any to any out xmit vlan2
30 skipto 1300 ip from any to any in recv vlan3
40 skipto 1300 ip from any to any out xmit vlan3
50 skipto 1400 ip from any to any in recv vlan4
60 skipto 1400 ip from any to any out xmit vlan4
...
100 deny log ip from any to any
...
1200 vlan2 rules
...
1299 deny log ip from any to any
1300 vlan3 rules
...
1399 deny log ip from any to any
1400 vlan4 rules
...
1499 deny log ip from any to any
In pf I do the following:
anchor vlan2 quick on vlan2
load anchor vlan2 from "/var/db/firewall/vlan2"
anchor vlan3 quick on vlan3
load anchor vlan3 from "/var/db/firewall/vlan3"
anchor vlan4 quick on vlan4
load anchor vlan4 from "/var/db/firewall/vlan4"
and I put the rules for each vlan in their own file. as an example:
-----
tcpports = "{ http, https }"
udpports = "{ snmp }"
# Proxy Network
block return out log all
pass out proto tcp from any to any port $tcpports
pass out proto tcp from <ournets> to any port ssh
pass out proto udp from any to any port $udpports
pass out proto udp from <ournets> port 123 to any
pass out proto vrrp from any to any
pass out proto icmp from any to any
pass out proto tcp from <ournets> to any port { 3128, 8080, 10050 }
pass in all
pass in proto tcp from any to any port { 80 } queue vlan25_out
-----
Rules are evaluated when there is no matching state. Rules are
evaluated in order. The *last* rule to match is used.
> Another question, is it possible to negate a rule or feature in a
> rule? I mean pass all traffic which DO NOT match the rule ? e.g. using
> "!" sign.
You can. As an example a transpanent proxy interception rule:
rdr on vlan5 inet proto tcp from !<no-proxy-src> to !<no-proxy-dst> port 80 -> <proxy> port 3128
I highly suggest you read the pf.conf manual page. It has a lot
of good instructions and useful information, particularly the rule
grammar at the end of the page.
Ian
--
Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1UZiS3-00026B-Ep>