From owner-freebsd-pf@FreeBSD.ORG Fri May 17 21:40:06 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 430D5FEF for ; Fri, 17 May 2013 21:40:06 +0000 (UTC) (envelope-from manoj.ganesan@gmail.com) Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by mx1.freebsd.org (Postfix) with ESMTP id C3334A3A for ; Fri, 17 May 2013 21:40:05 +0000 (UTC) Received: by mail-la0-f47.google.com with SMTP id fq12so4679719lab.6 for ; Fri, 17 May 2013 14:40:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=2gO4V7HLlzcGX+1dEpXTgM4Cj0dwyrtUp62ajMCw4EQ=; b=ZUt53WDUqf1zGajzsUhinB7FbJ90fPOe497XYcubJdOUaY/fHBK5BHVq4sHvnzgkLi WzQBCUzGPb9+NhQMefuchfluKMZdMI5YOeq4O3uV33ezim/mqSR+GkAgjYDIKFoGbCmt 69i2/9UQFeXbLVKiWH3eCaalqWB0eFCxfFskVVyb5HWsFgr7DPFZkM73rAfs6AIuoV8Z ssnbCkOkFocLtdyIwMcCq+w7WEZvT3mJfg/gwFZoX/99cC3h2OVgZv0OKiOByOlfpW8L p6MeUhe7FR9X2BGZHALdh/AkDNTicUs8jSaCPqGuovZB9jHfbbceov9H2xHW0VrhHVY/ VJNA== X-Received: by 10.112.136.132 with SMTP id qa4mr10599217lbb.34.1368826804668; Fri, 17 May 2013 14:40:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.22.39 with HTTP; Fri, 17 May 2013 14:39:44 -0700 (PDT) In-Reply-To: <20130517195639.GF7792@verio.net> References: <20130517195639.GF7792@verio.net> From: Manoj Ganesan Date: Fri, 17 May 2013 16:39:44 -0500 Message-ID: Subject: Re: Anchor evaluation To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 May 2013 21:40:06 -0000 On Fri, May 17, 2013 at 2:56 PM, David DeSimone wrote: > Manoj Ganesan wrote: > > > > I'm probably doing something very silly here, which I can't figure out. > I'm > > trying to get an anchor to be evaluated, but I can't seem to get traffic > to > > go through. > > > > My /etc/pf.conf looks like: > > > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > > 10.0.211.62 port 4321 > > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > > 10.0.111.71 port 1234 > > pass out all > > > > I want to replace these by an anchor like so (my /etc/pf.conf looks > like): > > > > anchor my_anchor > > load anchor gamenode from "/usr/home/my_user/my_anchor" > > You're telling PF to evaluate an anchor "my_anchor" but you named the > anchor "gamenode", so there are no rules to be evaluated in that case. > > > > where the /usr/home/my_user/my_anchor looks like: > > > > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 -> > > 10.0.211.62 port 4321 > > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 -> > > 10.0.111.71 port 1234 > > pass out all > > > > But while the anchor-less case lets packets through, the anchor case > > doesn't. Am I doing something wrong here? > > The "anchor" directive tells PF to only evaluate filter rules from the > anchor. I would assume you also need "nat-anchor" and "rdr-anchor" > directives to force all of the anchor rules to be evaluated: > > nat-anchor my_anchor > rdr-anchor my_anchor > anchor my_anchor > > load anchor my_anchor from "/usr/home/my_user/my_anchor" > > I didn't realize I had to have separate lines for nat and rdr. Thank you very much! :) > -- > David DeSimone == Network Admin == fox@verio.net > "I don't like spinach, and I'm glad I don't, because if I > liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has > been sent, and may contain information that is confidential or legally > protected. If you are not the intended recipient or have received this > message in error, you are not authorized to copy, distribute, or otherwise > use this message or its attachments. Please notify the sender immediately > by return e-mail and permanently delete this message and any attachments. > Verio Inc. makes no warranty that this email is error or virus free. Thank > you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >