How to export / save and compare PF rule sets

Miroslav Lachman 000.fbsd at quip.cz
Fri Jan 8 12:21:16 UTC 2010 

Hi Max,
can you take a look at my problem again?
I don't want to make you angry, I am just trying to better understand 
things and found if the problem is on my side or some inconsistency of 
the pfctl output.

Thanks in advance for your help.

Miroslav Lachman


Miroslav Lachman wrote:
> Max Laier wrote:
>> On Wednesday 23 December 2009 00:50:09 Miroslav Lachman wrote:
>>> scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr
>>> in case of "pfctl -nvf /etc/pf.conf"
>>
>> The order should always be options, scrub, queues, nat, filters. pfctl
>> -nvf
>> only works with a different order if you have "set require-order no"
>> in your
>> ruleset. You should be able to fix this at your end.
>
> I have things in this order in my pf.conf:
> macros
> tables
> options
> scrub
> nat
> rdr
> pass/block rules
>
> I don't have "set require-order no" in pf.conf, the only options I have
> are:
> set timeout { interval 10, frag 20 }
> set limit { states 10000, frags 5000 }
> set optimization aggressive
> set block-policy return
> set skip on $unfiltered
>
> then:
> scrub in on $ext_if
> scrub out on $ext_if no-df random-id max-mss 1492
>
> nat pass on $ext_if from $vpn_sectun_net to any -> $ext_addr_0
> rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port
> 10443 -> $pdu_addr_0 port 443
> rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port
> 11443 -> $pdu_addr_1 port 443
> rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port
> 12443 -> $pdu_addr_2 port 443
>
> So do I have to change anything? I think I have it in the right order.
> That's why I asked the question here.
>
> The problem is that "pfctl -s a" shows
> TRANSLATION RULES:
> (some NAT/RDR here)
>
> FILTER RULES:
> scrub in on bge1 all fragment reassemble
> scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble
> pass in quick proto tcp from <goodguys> to any flags S/SA keep state
> block return in log quick from <badguys> to any
>
> As you can see - scrub is in the FILTER RULES section of the output, but
> in pf.conf (required according to manpage) scrub is before TRANSLATION
> RULES and pfctl -nvf print it in this (right) order.
>
>>> Is there any other way how can I export live and saved rules in the same
>>> format and the same order, ready to comparission by diff?
>>
>> you can always extract the parts individually and cat them together if
>> you
>> insist on keeping the ruleset unordered.
>
> I was trying to do it in one pass (speed optimization ;])

More information about the freebsd-pf mailing list