pf anchors with tag/tagged

S. Scott Sima, CISA, CISM Fri, 08 Feb 2008 05:46:46 -0800

(sorry, orig post errantly had no subject)

Trying to redact (simplify) pf rdr statements by moving the repeating
(common) criteria to the top.


The rules load error free.  The pfctl -vvsnat shows the rdr-anchor in
place; however, tcpdump shows the block rules being hit AS IF THE
TAG/TAGGED IS NOT BEING "SEEN."

Anyone, any ideas?

Thanks...

/etc/pf.anchor.rdr1
# -----
anchor log on outside inet proto tcp \
from !<droplist> to (outside:0) {
rdr port   25 tag T1 -> 192.168.2.225
rdr port 5060 tag T1 -> 192.168.2.200
rdr port  443 tag T2 -> 192.168.2.250
}
# ---

/etc/pf.conf
rdr-anchor "/etc/pf.anchor.rdr1"
...
block all
...
pass log quick ...tagged T1 ...
pass log quick ...tagged T2 ...
...

pf anchors with tag/tagged

Reply via email to