Troubles with anchors

Max Laier max at love2party.net
Tue Mar 6 18:31:29 UTC 2007 

On Monday 05 March 2007 19:43, Vladimir Kapustin wrote:
> Hi all!
>
> Making a script for turning on/off Internet for our clients I have
> the following trouble:
>
> Some of our clients may need a real IP-adress. Sometimes pairs of
> internal/external IP may change. For these needs i put in pf.conf
> the following strings:
>
> #nat on $ext_if from <internet> to any -> 192.168.1.21
> #binat-anchor real_ip

This combined with ...

> In the case of "real_ip" field, the script must make BINAT on the
> IP that we have in that field, but it doesn't do it!
>
> Originally the rules were:
>
> #ifconfig xl0 $ip_ext netmask 255.255.255.0 alias
> #echo "binat on xl0 from $ip_int to any -> $ip_ext" | pfctl -a
> real_ip:$ip_ext -f -

.. this is wrong.  According to the pf.conf(5) manpage:

 Anchors may end with the asterisk (`*') character, which signifies that
 all anchors attached at that point should be evaluated in the alphabeti-
 cal ordering of their anchor name.  For example,

        anchor "spam/*"

 will evaluate each rule in each anchor attached to the spam anchor.  Note
 that it will only evaluate anchors that are directly attached to the spam
 anchor, and will not descend to evaluate anchors recursively.

So what you want is 'binat-anchor "real_ip/*"' and 'real_ip/$ip_ext'.

> Anchor with the complex name real_ip:$ip_ext is necessary so as,
> in case of turning off the Internet on that IP we were able to
> turn off binat rules only for that particular IP.
>
> But in practice when we add the following rule:
>
> #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl
> -a real_ip:192.168.1.26 -f -
>
> we have:
>
> #pfctl -sn -a real_ip/192.168.1.26
> #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26
>
> But actually we were masked by 192.168.1.21
>
> But if:
>
> #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl
> -a real_ip -f -
>
> we have:
>
> #pfctl -sn -a real_ip
> #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26
>
> And now we were masked by 192.168.1.26 - that's what we need!
>
> But we can't do this that way. That's why
>
> We desided to use subanchors:
>
> #echo "anchor 192.168.1.26" | pfctl -a real_ip -f -
> #echo "binat on xl0 from 192.168.0.23 to any -> 192.168.1.26" | pfctl
> -a real_ip/192.168.1.26 -f -
>
> #pfctl -vsA
>
> real_ip
> real_ip/192.168.1.26
>
> #pfctl -sn -a real_ip/192.168.1.26
> #binat on xl0 inet from 192.168.0.23 to any -> 192.168.1.26
>
> And now we again were masked by 192.168.1.21
>
> How can i solve this problem?
> We have no ability to statically write binat rules in pf.conf.
>
> FreeBSD 6.2-Release

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070306/3a8bcf4e/attachment.pgp

More information about the freebsd-pf mailing list