The anchors are in the running rule set, per the man and faq examples, right in the nat/rdr top-of-the-rule-set section, just not shown in the (snip) included in the post. If they weren't there the "user proxy" version of snip wouldn't be working.
Thanks for the link, it *may* be relevant; however, the fact that [pass quick] "user proxy" works and [pass quick] "tagged <tag>" does not -- in an otherwise IDENTICAL rule set -- suggests that order (placement with regard to anchors) is NOT a factor (in my case). If the anchor's "quick" was in play, then -I would think that- the "user proxy" version rule would never be a positive factor AND the [pass quick] "tagged <tag> version would NOT be failing on the final BLOCK ALL rule. The anchor-quick would have already happened. Additionally, the "pfctl -vvvs rules" counters are ZERO for the "tagged <tag>" version and otherwise correct and incrementing for "user proxy" version. -----Original Message----- From: Camiel Dobbelaar <[EMAIL PROTECTED]> To: S. Scott Sima, CISA, CISM <[EMAIL PROTECTED]> Cc: misc@openbsd.org Subject: Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working Date: Tue, 11 Dec 2007 07:31:01 +0100 Mailer: Thunderbird 2.0.0.9 (Windows/20071031) I don't see the anchors, you need those with tagging too. Other then that, it may still not work as expected, see: http://marc.info/?l=openbsd-misc&m=119729395125104&w=2
