pf, rdr, & anchors - broken or PEBKAC
Derek (freebsd lists)
482254ac at razorfever.net
Tue Sep 8 17:46:56 UTC 2015
Hi!
I'm trying to configure a basic layer-3 load balancer
(10.2-RELEASE). I initially started down this path with relayd
from ports, as it seems to do what I need, very succinctly.
What I've stumbled upon - I hope - is me not knowing how to cause
rdr statements in anchors to be evaluated, although it appears
that this functionality is currently broken.
Take this contrived, most-trivial example (where 192.168.0.1 is
external, and 10.2.2.251 is internal):
/etc/pf.conf:
rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251
sudo pfctl -Fa -f /etc/pf.conf
*everything works as expected*
Now, this time using anchors:
sudo mv /etc/pf.conf /etc/pf.conf-anchor
/etc/pf.conf:
anchor testing
load anchor testing from "/etc/pf.conf-anchor"
sudo pfctl -Fa -f /etc/pf.conf
gives TCP RSTs when connecting to port 80. Additionally
sudo pfctl -a testing -vvs nat:
@0 rdr inet proto tcp from any to 192.168.0.1 port = http ->
10.2.2.251
[ Evaluations: 0 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 56764 State Creations: 0 ]
So identical rulesets, one loaded as an anchor: never evaluated,
the other loaded into the main ruleset directly: works fine.
Is this broken, or am I missing something?
Thanks!
Derek
More information about the freebsd-pf
mailing list