Anchor evaluation

Manoj Ganesan manoj.ganesan at gmail.com
Fri May 17 21:40:06 UTC 2013 

On Fri, May 17, 2013 at 2:56 PM, David DeSimone <fox at verio.net> wrote:

> Manoj Ganesan <manoj.ganesan at gmail.com> wrote:
> >
> > I'm probably doing something very silly here, which I can't figure out.
> I'm
> > trying to get an anchor to be evaluated, but I can't seem to get traffic
> to
> > go through.
> >
> > My /etc/pf.conf looks like:
> >
> > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 ->
> > 10.0.211.62 port 4321
> > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 ->
> > 10.0.111.71 port 1234
> > pass out all
> >
> > I want to replace these by an anchor like so (my /etc/pf.conf looks
> like):
> >
> > anchor my_anchor
> > load anchor gamenode from "/usr/home/my_user/my_anchor"
>
> You're telling PF to evaluate an anchor "my_anchor" but you named the
> anchor "gamenode", so there are no rules to be evaluated in that case.
>
>
> > where the /usr/home/my_user/my_anchor looks like:
> >
> > rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 ->
> > 10.0.211.62 port 4321
> > nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 ->
> > 10.0.111.71 port 1234
> > pass out all
> >
> > But while the anchor-less case lets packets through, the anchor case
> > doesn't. Am I doing something wrong here?
>
> The "anchor" directive tells PF to only evaluate filter rules from the
> anchor.  I would assume you also need "nat-anchor" and "rdr-anchor"
> directives to force all of the anchor rules to be evaluated:
>
>     nat-anchor my_anchor
>     rdr-anchor my_anchor
>         anchor my_anchor
>
>     load anchor my_anchor from "/usr/home/my_user/my_anchor"
>
> I didn't realize I had to have separate lines for nat and rdr. Thank you
very much! :)

>  --
> David DeSimone == Network Admin == fox at verio.net
>   "I don't like spinach, and I'm glad I don't, because if I
>    liked it I'd eat it, and I just hate it." -- Clarence Darrow
>
>
> This email message is intended for the use of the person to whom it has
> been sent, and may contain information that is confidential or legally
> protected. If you are not the intended recipient or have received this
> message in error, you are not authorized to copy, distribute, or otherwise
> use this message or its attachments. Please notify the sender immediately
> by return e-mail and permanently delete this message and any attachments.
> Verio Inc. makes no warranty that this email is error or virus free.  Thank
> you.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list