skipto keyword in pf

Ian FREISLICH ianf at clue.co.za
Tue May 7 14:01:13 UTC 2013 

Nomad Esst wrote:
> >Well, tags could help here. With a concrete example of what you want, it
> >would be easier to suggest a solution.
> 
> >Regards.
> 
> Aren't anchors useful as David DeSimone said?

Yes they are.  I used to do the following in ipfw:

10 skipto 1200 ip from any to any in recv vlan2
20 skipto 1200 ip from any to any out xmit vlan2
30 skipto 1300 ip from any to any in recv vlan3
40 skipto 1300 ip from any to any out xmit vlan3
50 skipto 1400 ip from any to any in recv vlan4
60 skipto 1400 ip from any to any out xmit vlan4
...
100 deny log  ip   from any to any
...
1200 vlan2 rules
...
1299 deny log  ip   from any to any
1300 vlan3 rules
...
1399 deny log  ip   from any to any
1400 vlan4 rules
...
1499 deny log  ip   from any to any


In pf I do the following:

anchor vlan2 quick on vlan2
load anchor vlan2 from "/var/db/firewall/vlan2"
anchor vlan3 quick on vlan3
load anchor vlan3 from "/var/db/firewall/vlan3"
anchor vlan4 quick on vlan4
load anchor vlan4 from "/var/db/firewall/vlan4"

and I put the rules for each vlan in their own file. as an example:
-----
tcpports = "{ http, https }"
udpports = "{ snmp }"

# Proxy Network
block return out log all
pass  out proto tcp from any to any port $tcpports
pass  out proto tcp from <ournets> to any port ssh
pass  out proto udp from any to any port $udpports
pass  out proto udp from <ournets> port 123 to any
pass  out proto vrrp from any to any
pass  out proto icmp from any to any
pass  out proto tcp from <ournets> to any port { 3128, 8080, 10050 }

pass   in all
pass   in proto tcp from any to any port { 80 } queue vlan25_out
-----

Rules are evaluated when there is no matching state.  Rules are
evaluated in order.  The *last* rule to match is used.

> Another question, is it possible to negate a rule or feature in a
> rule? I mean pass all traffic which DO NOT match the rule ? e.g. using
> "!" sign.

You can.  As an example a transpanent proxy interception rule:

rdr on vlan5 inet proto tcp from !<no-proxy-src> to !<no-proxy-dst> port 80 -> <proxy> port 3128

I highly suggest you read the pf.conf manual page.  It has a lot
of good instructions and useful information, particularly the rule
grammar at the end of the page.

Ian

-- 
Ian Freislich

More information about the freebsd-pf mailing list