Date: Wed, 23 Dec 2009 02:12:27 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: How to export / save and compare PF rule sets Message-ID: <4B316E7B.9020404@quip.cz> In-Reply-To: <200912230140.40776.max@love2party.net> References: <4B315B31.7050902@quip.cz> <200912230140.40776.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: > On Wednesday 23 December 2009 00:50:09 Miroslav Lachman wrote: >> scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr >> in case of "pfctl -nvf /etc/pf.conf" > > The order should always be options, scrub, queues, nat, filters. pfctl -nvf > only works with a different order if you have "set require-order no" in your > ruleset. You should be able to fix this at your end. I have things in this order in my pf.conf: macros tables options scrub nat rdr pass/block rules I don't have "set require-order no" in pf.conf, the only options I have are: set timeout { interval 10, frag 20 } set limit { states 10000, frags 5000 } set optimization aggressive set block-policy return set skip on $unfiltered then: scrub in on $ext_if scrub out on $ext_if no-df random-id max-mss 1492 nat pass on $ext_if from $vpn_sectun_net to any -> $ext_addr_0 rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port 10443 -> $pdu_addr_0 port 443 rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port 11443 -> $pdu_addr_1 port 443 rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port 12443 -> $pdu_addr_2 port 443 So do I have to change anything? I think I have it in the right order. That's why I asked the question here. The problem is that "pfctl -s a" shows TRANSLATION RULES: (some NAT/RDR here) FILTER RULES: scrub in on bge1 all fragment reassemble scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble pass in quick proto tcp from <goodguys> to any flags S/SA keep state block return in log quick from <badguys> to any As you can see - scrub is in the FILTER RULES section of the output, but in pf.conf (required according to manpage) scrub is before TRANSLATION RULES and pfctl -nvf print it in this (right) order. >> Is there any other way how can I export live and saved rules in the same >> format and the same order, ready to comparission by diff? > > you can always extract the parts individually and cat them together if you > insist on keeping the ruleset unordered. I was trying to do it in one pass (speed optimization ;]) Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B316E7B.9020404>