On Tue, 02 Sep 2014 16:37:38 -0300, Giancarlo Razzolini
<[email protected]> wrote:
> On 02-09-2014 16:32, andy wrote:
>> Yes I wouldn't expect to be able to apply more than one tag, I'm asking
>> about checking for multiple matching tags?
>>
>> I.e pass out of the packet is 'tagged' with XXX or YYY or ZZZ.
> But that's the point. If you assign a packet with multiple tags, only
> the last one (or the one with the quick keyword), is the one the packet
> will have. You can, however, use multiple match rules and control your
> packet flow with multiple tags, directing the packets as they switch
> their tags. But you can't compare for multiple tags at once. One thing
> that I do before writing my pf rules is to draw the flows into a paper.
> That way I can plan in advance. You have another option, which I also
> use, that is to use a pflow(4) interface in combination with nfsen and
> make your OpenBSD machine act as a simple router and monitor your
> packets for for a week or so. That way you can effectively know how your
> network behave and can program your rules accordingly.
>
> Cheers,
Hi thanks for the ideas, but maybe I'm not being very clear.
I only want or expect the packet to have one tag at a time. But I would
like to write a rule that passes packets if they have any one of the
following tags;
For example;
pass out quick on $if_ext from { $lan, $dmz } to any
expands in the compiled rule set to;
pass out quick on $if_ext from $lan to any
pass out quick on $if_ext from $dmz to any
So why does;
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
NOT expand out to;
pass out quick on $if_ext tagged T_LAN keep state
pass out quick on $if_ext tagged T_DMZ keep state
This way you could do the following;
match out on $if_ext from $dmz to any nat-to $dmz_natted_ip
match out on $if_ext from $lan to any nat-to $lan_natted_ip
pass in quick on $if_dmz from { $dmz } to any tag T_DMZ keep state
pass in quick on $if_lan from { $lan } to any tag T_LAN keep state
pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
This is easier and has more control and is less error prone than having to
do things like the following just to cope with NATing;
match out on $if_ext from $dmz to any nat-to $dmz_natted_ip
match out on $if_ext from $lan to any nat-to $lan_natted_ip
pass in quick on $if_dmz from { $dmz } to any
pass in quick on $if_lan from { $lan } to any
pass out quick on $if_ext from { $dmz_natted_ip, $lan_natted_ip } to any
I.e. I have to think about the NATing in the pass rules..
Thanks for your replies and time.
Cheers, Andy.
