* Bryan S. Leaman <[email protected]> [2009-11-13 01:12]: > I'm converting a pf ruleset to work with the new nat/rdr changes in 4.6 > -current and I came across an issue that seems like a problem in the way > "tagged" rules are handled. It's breaking ftp-proxy with tagging when I > try to apply additional rules to the tagged packets. The result is that I > can login to an FTP server but the inbound data connection seems to get > lost--I don't get a passed or blocked packet in the pf log and the data > connection fails to establish. > > If I remove my "tagged <TAGNAME>" rules, then everything works fine but > then I can't use the tags to do further processing of these packets. > Here are the anchor rules generated by ftp-proxy: > > # pfctl -sA -v > ftp-proxy > ftp-proxy/16553.9 > # pfctl -v -a ftp-proxy/16553.9 -sr > pass in log inet proto tcp from 192.168.99.237 to 192.168.99.234 port = > 54237 flags S/SA keep state (max 1) tag FTPPROXY rtable 0 rdr-to 10.0.1.21 > port 47008 > [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 71 pid 16553 State Creations: 0 ] > pass out log inet proto tcp from 192.168.99.237 to 10.0.1.21 port = 47008 > flags S/SA keep state (max 1) tag FTPPROXY rtable 0 nat-to 192.168.99.237 > [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 > ] > [ Inserted: uid 71 pid 16553 State Creations: 0 ]
hrm. ftp-proxy would need to use match instead of pass in that case. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
