How to export / save and compare PF rule sets

Miroslav Lachman 000.fbsd at quip.cz
Wed Dec 23 01:12:32 UTC 2009 

Max Laier wrote:
> On Wednesday 23 December 2009 00:50:09 Miroslav Lachman wrote:
>> scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr
>> in case of "pfctl -nvf /etc/pf.conf"
>
> The order should always be options, scrub, queues, nat, filters.  pfctl -nvf
> only works with a different order if you have "set require-order no" in your
> ruleset.  You should be able to fix this at your end.

I have things in this order in my pf.conf:
macros
tables
options
scrub
nat
rdr
pass/block rules

I don't have "set require-order no" in pf.conf, the only options I have are:
set timeout { interval 10, frag 20 }
set limit { states 10000, frags 5000 }
set optimization aggressive
set block-policy return
set skip on $unfiltered

then:
scrub in on $ext_if
scrub out on $ext_if no-df random-id max-mss 1492

nat pass on $ext_if from $vpn_sectun_net to any -> $ext_addr_0
rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port 
10443 -> $pdu_addr_0 port 443
rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port 
11443 -> $pdu_addr_1 port 443
rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port 
12443 -> $pdu_addr_2 port 443

So do I have to change anything? I think I have it in the right order. 
That's why I asked the question here.

The problem is that "pfctl -s a" shows
TRANSLATION RULES:
(some NAT/RDR here)

FILTER RULES:
scrub in on bge1 all fragment reassemble
scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble
pass in quick proto tcp from <goodguys> to any flags S/SA keep state
block return in log quick from <badguys> to any

As you can see - scrub is in the FILTER RULES section of the output, but 
in pf.conf (required according to manpage) scrub is before TRANSLATION 
RULES and pfctl -nvf print it in this (right) order.

>> Is there any other way how can I export live and saved rules in the same
>> format and the same order, ready to comparission by diff?
>
> you can always extract the parts individually and cat them together if you
> insist on keeping the ruleset unordered.

I was trying to do it in one pass (speed optimization ;])

Miroslav Lachman

More information about the freebsd-pf mailing list