Date: Fri, 17 May 2013 16:39:44 -0500 From: Manoj Ganesan <manoj.ganesan@gmail.com> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: Anchor evaluation Message-ID: <CAOtNLgL_qqsXYi5NPO3phaDXT5RXnBo0uAJ%2BkVffcZ03SH%2BSeQ@mail.gmail.com> In-Reply-To: <20130517195639.GF7792@verio.net> References: <CAOtNLg%2BRghjeG8izpe2%2BmidF913K0T4AuNg%2BN-iuz9qzH-dpUg@mail.gmail.com> <20130517195639.GF7792@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 17, 2013 at 2:56 PM, David DeSimone <fox@verio.net> wrote: > Manoj Ganesan <manoj.ganesan@gmail.com> wrote: > > > > I'm probably doing something very silly here, which I can't figure out. > I'm > > trying to get an anchor to be evaluated, but I can't seem to get traffic > to > > go through. > > > > My /etc/pf.conf looks like: > > > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > > 10.0.211.62 port 4321 > > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > > 10.0.111.71 port 1234 > > pass out all > > > > I want to replace these by an anchor like so (my /etc/pf.conf looks > like): > > > > anchor my_anchor > > load anchor gamenode from "/usr/home/my_user/my_anchor" > > You're telling PF to evaluate an anchor "my_anchor" but you named the > anchor "gamenode", so there are no rules to be evaluated in that case. > > > > where the /usr/home/my_user/my_anchor looks like: > > > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > > 10.0.211.62 port 4321 > > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > > 10.0.111.71 port 1234 > > pass out all > > > > But while the anchor-less case lets packets through, the anchor case > > doesn't. Am I doing something wrong here? > > The "anchor" directive tells PF to only evaluate filter rules from the > anchor. I would assume you also need "nat-anchor" and "rdr-anchor" > directives to force all of the anchor rules to be evaluated: > > nat-anchor my_anchor > rdr-anchor my_anchor > anchor my_anchor > > load anchor my_anchor from "/usr/home/my_user/my_anchor" > > I didn't realize I had to have separate lines for nat and rdr. Thank you very much! :) > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately > by return e-mail and permanently delete this message and any attachments. > Verio Inc. makes no warranty that this email is error or virus free. Thank > you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtNLgL_qqsXYi5NPO3phaDXT5RXnBo0uAJ%2BkVffcZ03SH%2BSeQ>