do not work nested unnamed anchor

Max Laier max at love2party.net
Mon May 12 19:25:05 UTC 2008 

Hello Igor,

it seems this is a general problem and I can't figure out the cause of it, 
ATM.  It seems that it is the same in OpenBSD (and has been for quite 
some time, too).

Daniel, Ryan,

any ideas?

Attached is a transcript from OpenBSD 4.3 inside of qemu trying the 
verbatim pf.conf(5) example.  The nested anchor doesn't seem to match for 
some reason.

While here I also discovered that it is obviously impossible to 
destroy/clean up after nested anchors completely.

On Friday 09 May 2008 14:54:43 Igor A. Valcov wrote:
> For example:
>
> ==== pf.conf ====
>
> ext_if="xl0"
> ip_world="nn.nn.nn.nn"
>
> # Filter rules
> block log all
>
> anchor in on $ext_if {
>        pass quick proto tcp to $ip_world port 22 keep state
>             # SSH
>        pass quick proto tcp to $ip_world port 25 keep state
>             # SMTP
>        pass quick proto tcp to $ip_world port 110 keep state
>             # POP3
>        anchor  {
>            pass quick proto tcp to $ip_world port 995 keep state
>             # POP3S
>        }
> }
>
> ============
>
> nmap results:
>
> PORT    STATE SERVICE VERSION
> 22/tcp  open  ssh     OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0)
> 25/tcp  open  smtp?
> 110/tcp open  pop3    Openwall popa3d
>
>
> I can not understand what the problem...
>
> FreeBSD-7.0-RELEASE-p1
> i386

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
Script started on Mon May 12 20:44:12 2008
# cat pf.conf
anchor "external" on egress {
	block
	anchor out {
		pass proto tcp from any to port { 25, 80, 443 }
	}
	pass in proto tcp to any port 22
}
# ifconfig ne3
ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	lladdr 52:54:00:12:34:56
	groups: egress
	media: Ethernet 10baseT full-duplex
	inet6 fe80::5054:ff:fe12:3456%ne3 prefixlen 64 scopeid 0x1
	inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255
# pfctl -vef pf.conf
anchor "external" on egress all {
  block drop all
  anchor out all {
    pass proto tcp from any to any port = smtp flags S/SA keep state
    pass proto tcp from any to any port = www flags S/SA keep state
    pass proto tcp from any to any port = https flags S/SA keep state
  }
  pass in proto tcp from any to any port = ssh flags S/SA keep state
}
pf enabled
# telnet 10.0.2.2 80
Trying 10.0.2.2...
telnet: connect to address 10.0.2.2: No route to host
# pfctl -vvvgsr
@0 anchor "external" on egress all
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 1	   Packets: 1	      Bytes: 64		 States: 0     ]
# pfctl -vvvgsr -a external
@0 block drop all
  [ Skip steps: i=end f=end p=2 sa=end sp=end da=end dp=2 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 1	   Packets: 1	      Bytes: 64		 States: 0     ]
@1 anchor out all {
  [ Skip steps: i=end f=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 1	   Packets: 0	      Bytes: 0		 States: 0     ]
@0 pass proto tcp from any to any port = smtp flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 0	   Packets: 0	      Bytes: 0		 States: 0     ]
@1 pass proto tcp from any to any port = www flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 0	   Packets: 0	      Bytes: 0		 States: 0     ]
@2 pass proto tcp from any to any port = https flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 0	   Packets: 0	      Bytes: 0		 States: 0     ]
}
@2 pass in proto tcp from any to any port = ssh flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 1	   Packets: 0	      Bytes: 0		 States: 0     ]
# telnet 10.0.2.2 25
Trying 10.0.2.2...
telnet: connect to address 10.0.2.2: No route to host
# pfctl -vvvgsr -a external
@0 block drop all
  [ Skip steps: i=end f=end p=2 sa=end sp=end da=end dp=2 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 2	   Packets: 2	      Bytes: 128	 States: 0     ]
@1 anchor out all {
  [ Skip steps: i=end f=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 2	   Packets: 0	      Bytes: 0		 States: 0     ]
@0 pass proto tcp from any to any port = smtp flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 0	   Packets: 0	      Bytes: 0		 States: 0     ]
@1 pass proto tcp from any to any port = www flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 0	   Packets: 0	      Bytes: 0		 States: 0     ]
@2 pass proto tcp from any to any port = https flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 0	   Packets: 0	      Bytes: 0		 States: 0     ]
}
@2 pass in proto tcp from any to any port = ssh flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 2	   Packets: 0	      Bytes: 0		 States: 0     ]
# uname -a
OpenBSD foo.laiers.local 4.3 GENERIC#698 i386
# ^D

Script done on Mon May 12 20:45:55 2008

Script started on Mon May 12 21:03:04 2008
# pfctl -vvvsA
# pfctl -vef pf.conf
anchor "external" on egress all {
  block drop all
  anchor out all {
    pass proto tcp from any to any port = smtp flags S/SA keep state
    pass proto tcp from any to any port = www flags S/SA keep state
    pass proto tcp from any to any port = https flags S/SA keep state
  }
  pass in proto tcp from any to any port = ssh flags S/SA keep state
  pass out proto tcp from any to any port = smtp flags S/SA keep state
}
pf enabled
# pfctl -vsA
  external
  external/_2
  external/external
  external/external/_2
# pfctl -Fa
rules cleared
nat cleared
0 tables deleted.
altq cleared
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
# pfctl -vsA
  external
  external/_2
  external/external
  external/external/_2
# pfctl -Fa -a external
rules cleared
nat cleared
0 tables deleted.
# pfctl -vsA
  external
  external/_2
# ^D

Script done on Mon May 12 21:03:51 2008

More information about the freebsd-pf mailing list