Hi Max,
can you take a look at my problem again?
I don't want to make you angry, I am just trying to better understand
things and found if the problem is on my side or some inconsistency of
the pfctl output.
Thanks in advance for your help.
Miroslav Lachman
Miroslav Lachman wrote:
Max Laier wrote:
On Wednesday 23 December 2009 00:50:09 Miroslav Lachman wrote:
scrub is before nat/rdr rules in case of "pfctl -s a" and after nat/rdr
in case of "pfctl -nvf /etc/pf.conf"
The order should always be options, scrub, queues, nat, filters. pfctl
-nvf
only works with a different order if you have "set require-order no"
in your
ruleset. You should be able to fix this at your end.
I have things in this order in my pf.conf:
macros
tables
options
scrub
nat
rdr
pass/block rules
I don't have "set require-order no" in pf.conf, the only options I have
are:
set timeout { interval 10, frag 20 }
set limit { states 10000, frags 5000 }
set optimization aggressive
set block-policy return
set skip on $unfiltered
then:
scrub in on $ext_if
scrub out on $ext_if no-df random-id max-mss 1492
nat pass on $ext_if from $vpn_sectun_net to any -> $ext_addr_0
rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port
10443 -> $pdu_addr_0 port 443
rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port
11443 -> $pdu_addr_1 port 443
rdr pass on $ext_if inet proto tcp from <goodguys> to $ext_addr_0 port
12443 -> $pdu_addr_2 port 443
So do I have to change anything? I think I have it in the right order.
That's why I asked the question here.
The problem is that "pfctl -s a" shows
TRANSLATION RULES:
(some NAT/RDR here)
FILTER RULES:
scrub in on bge1 all fragment reassemble
scrub out on bge1 all no-df random-id max-mss 1492 fragment reassemble
pass in quick proto tcp from <goodguys> to any flags S/SA keep state
block return in log quick from <badguys> to any
As you can see - scrub is in the FILTER RULES section of the output, but
in pf.conf (required according to manpage) scrub is before TRANSLATION
RULES and pfctl -nvf print it in this (right) order.
Is there any other way how can I export live and saved rules in the same
format and the same order, ready to comparission by diff?
you can always extract the parts individually and cat them together if
you
insist on keeping the ruleset unordered.
I was trying to do it in one pass (speed optimization ;])
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
