From owner-freebsd-pf@FreeBSD.ORG Thu Oct 19 18:10:39 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CCC916A407 for ; Thu, 19 Oct 2006 18:10:39 +0000 (UTC) (envelope-from turgeon.martin@gmail.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 930FD43E19 for ; Thu, 19 Oct 2006 18:09:13 +0000 (GMT) (envelope-from turgeon.martin@gmail.com) Received: from martinlaptop ([70.81.169.115]) by VL-MH-MR001.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J7E00AYLAF6K4C0@VL-MH-MR001.ip.videotron.ca> for freebsd-pf@freebsd.org; Thu, 19 Oct 2006 14:09:11 -0400 (EDT) Date: Thu, 19 Oct 2006 14:09:20 -0400 From: Martin Turgeon To: freebsd-pf@freebsd.org Message-id: <0J7E00AYPAFAK4C0@VL-MH-MR001.ip.videotron.ca> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-index: AcbzqbLWUxXFL6QYSjCAZLN9XIdJVA== Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Details about tags X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2006 18:10:39 -0000 Hi, I was running PF with tags for a while but I learnt yesterday that the half of my config was useless. In fact, every out rules that were checking the tags were never triggered because of the keep state of the in rules. I followed the FAQ on the OpenBSD website (http://openbsd.org/faq/pf/tagging.html) but I think it's missing a modification on the state-policy to set it to if-bound so that the out rules are triggered. But then, what is the point of using tags? Thanks, Martin Here is the interesting sections of my pf.conf wan_if="fxp0" lan_if="em0" wls_if="ath0" vpn_if="tun0" ap_if="xl0" ### Scrub ### scrub on $wan_if all ### NAT ### nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN -> ($wan_if) nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN -> ($wan_if) nat on $wan_if tag AP_WAN_NAT tagged AP_WAN -> ($wan_if) nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN -> ($wan_if) nat pass on $wan_if from $wan_if to any -> ($wan_if) ### Default block ### block log all ### Definition des TAG ### # LAN interface pass in on $lan_if from $lan_if:network tag LAN_WAN keep state pass in on $lan_if from $lan_if:network to $wls_if:network \ tag LAN_WLS keep state pass in on $lan_if from $lan_if:network to $ap_if:network tag LAN_AP keep state pass in on $lan_if from $lan_if:network to ($vpn_if:network) tag LAN_VPN keep state # WLS interface pass in on $wls_if from $wls_if:network tag WLS_WAN keep state pass in on $wls_if from $wls_if:network to $lan_if:network \ tag WLS_LAN keep state pass in on $wls_if from $wls_if:network to $ap_if:network tag WLS_AP keep state pass in on $wls_if from $wls_if:network to ($vpn_if:network) tag WLS_VPN keep state # VPN interface pass in on $vpn_if from ($vpn_if:network) tag VPN_WAN keep state pass in on $vpn_if to $lan_if:network tag VPN_LAN keep state pass in on $vpn_if from ($vpn_if:network) to $ap_if:network tag VPN_AP keep state pass in on $vpn_if from ($vpn_if:network) to $wls_if:network tag VPN_WLS keep state # AP interface pass in on $ap_if from $ap_if:network tag AP_WAN keep state pass in on $ap_if from $ap_if:network to $lan_if:network tag AP_LAN keep state pass in on $ap_if from $ap_if:network to $wls_if:network tag AP_WLS keep state pass in on $ap_if from $ap_if:network to ($vpn_if:network) tag AP_VPN keep state ### Politiques de securite ### # IN pour WAN # OUT pour WAN pass out quick on $wan_if tagged LAN_WAN_NAT flags S/SA keep state pass out quick on $wan_if tagged WLS_WAN_NAT flags S/SA keep state pass out quick on $wan_if tagged VPN_WAN_NAT flags S/SA keep state pass out quick on $wan_if tagged AP_WAN_NAT flags S/SA keep state # OUT pour LAN pass out quick on $lan_if tagged WLS_LAN flags S/SA keep state pass out quick on $lan_if tagged WAN_WIKI flags S/SA keep state pass out quick on $lan_if tagged WAN_NOTRE_RDP flags S/SA keep state pass out quick on $lan_if tagged VPN_LAN flags S/SA keep state pass out quick on $lan_if tagged AP_LAN flags S/SA keep state pass out quick on $lan_if tagged WAN_BAREBONE flags S/SA keep state # OUT pour WLS pass out quick on $wls_if tagged LAN_WLS flags S/SA keep state pass out quick on $wls_if tagged VPN_WLS flags S/SA keep state pass out quick on $wls_if tagged AP_VPN flags S/SA keep state # OUT pour AP pass out quick on $ap_if tagged LAN_AP flags S/SA keep state pass out quick on $ap_if tagged VPN_AP flags S/SA keep state pass out quick on $ap_if tagged WLS_AP flags S/SA keep state pass out quick on $ap_if tagged WLS_AP_NAT flags S/SA keep state #pass out quick on $ap_if tagged WAN_JN flags S/SA keep state # OUT pour VPN pass out quick on $vpn_if tagged WLS_VPN flags S/SA keep state pass out quick on $vpn_if tagged LAN_VPN flags S/SA keep state pass out quick on $vpn_if tagged AP_VPN flags S/SA keep state