Details about tags
Martin Turgeon
turgeon.martin at gmail.com
Thu Oct 19 11:10:39 PDT 2006
Hi,
I was running PF with tags for a while but I learnt yesterday that the half
of my config was useless. In fact, every out rules that were checking the
tags were never triggered because of the keep state of the in rules. I
followed the FAQ on the OpenBSD website
(http://openbsd.org/faq/pf/tagging.html) but I think it's missing a
modification on the state-policy to set it to if-bound so that the out rules
are triggered. But then, what is the point of using tags?
Thanks,
Martin
Here is the interesting sections of my pf.conf
wan_if="fxp0"
lan_if="em0"
wls_if="ath0"
vpn_if="tun0"
ap_if="xl0"
### Scrub ###
scrub on $wan_if all
### NAT ###
nat on $wan_if tag LAN_WAN_NAT tagged LAN_WAN -> ($wan_if)
nat on $wan_if tag WLS_WAN_NAT tagged WLS_WAN -> ($wan_if)
nat on $wan_if tag AP_WAN_NAT tagged AP_WAN -> ($wan_if)
nat on $wan_if tag VPN_WAN_NAT tagged VPN_WAN -> ($wan_if)
nat pass on $wan_if from $wan_if to any -> ($wan_if)
### Default block ###
block log all
### Definition des TAG ###
# LAN interface
pass in on $lan_if from $lan_if:network tag LAN_WAN keep state
pass in on $lan_if from $lan_if:network to $wls_if:network \
tag LAN_WLS keep state
pass in on $lan_if from $lan_if:network to $ap_if:network tag LAN_AP keep
state
pass in on $lan_if from $lan_if:network to ($vpn_if:network) tag LAN_VPN
keep state
# WLS interface
pass in on $wls_if from $wls_if:network tag WLS_WAN keep state
pass in on $wls_if from $wls_if:network to $lan_if:network \
tag WLS_LAN keep state
pass in on $wls_if from $wls_if:network to $ap_if:network tag WLS_AP keep
state
pass in on $wls_if from $wls_if:network to ($vpn_if:network) tag WLS_VPN
keep state
# VPN interface
pass in on $vpn_if from ($vpn_if:network) tag VPN_WAN keep state
pass in on $vpn_if to $lan_if:network tag VPN_LAN keep state
pass in on $vpn_if from ($vpn_if:network) to $ap_if:network tag VPN_AP keep
state
pass in on $vpn_if from ($vpn_if:network) to $wls_if:network tag VPN_WLS
keep state
# AP interface
pass in on $ap_if from $ap_if:network tag AP_WAN keep state
pass in on $ap_if from $ap_if:network to $lan_if:network tag AP_LAN keep
state
pass in on $ap_if from $ap_if:network to $wls_if:network tag AP_WLS keep
state
pass in on $ap_if from $ap_if:network to ($vpn_if:network) tag AP_VPN keep
state
### Politiques de securite ###
# IN pour WAN
# OUT pour WAN
pass out quick on $wan_if tagged LAN_WAN_NAT flags S/SA keep state
pass out quick on $wan_if tagged WLS_WAN_NAT flags S/SA keep state
pass out quick on $wan_if tagged VPN_WAN_NAT flags S/SA keep state
pass out quick on $wan_if tagged AP_WAN_NAT flags S/SA keep state
# OUT pour LAN
pass out quick on $lan_if tagged WLS_LAN flags S/SA keep state
pass out quick on $lan_if tagged WAN_WIKI flags S/SA keep state
pass out quick on $lan_if tagged WAN_NOTRE_RDP flags S/SA keep state
pass out quick on $lan_if tagged VPN_LAN flags S/SA keep state
pass out quick on $lan_if tagged AP_LAN flags S/SA keep state
pass out quick on $lan_if tagged WAN_BAREBONE flags S/SA keep state
# OUT pour WLS
pass out quick on $wls_if tagged LAN_WLS flags S/SA keep state
pass out quick on $wls_if tagged VPN_WLS flags S/SA keep state
pass out quick on $wls_if tagged AP_VPN flags S/SA keep state
# OUT pour AP
pass out quick on $ap_if tagged LAN_AP flags S/SA keep state
pass out quick on $ap_if tagged VPN_AP flags S/SA keep state
pass out quick on $ap_if tagged WLS_AP flags S/SA keep state
pass out quick on $ap_if tagged WLS_AP_NAT flags S/SA keep state
#pass out quick on $ap_if tagged WAN_JN flags S/SA keep state
# OUT pour VPN
pass out quick on $vpn_if tagged WLS_VPN flags S/SA keep state
pass out quick on $vpn_if tagged LAN_VPN flags S/SA keep state
pass out quick on $vpn_if tagged AP_VPN flags S/SA keep state
More information about the freebsd-pf
mailing list