On Thu, Jun 19, 2003 at 03:04:17PM -0700, Kevin R. Smith wrote: > FWIW, in the 3.2 docs it was done using [head|tail], though I couldn't find > great documentation on that either--my efforts at apply 3.2 syntax in 3.3 > have failed. Presumably this feature still exists, and I'm not seeing how to > specify rule placement....
Make sure you have 3.3 man pages[1] installed, then check authpf(8), which explains how authpf now uses an 'anchor' instead of head/tail. pf.conf(5) explains anchors in detail. In short, authpf creates sub-rulesets, one per logged-in user, in the anchor called 'authpf'. You can freely choose where in the main ruleset (/etc/pf.conf) the anchor is evaluated, by inserting the rule anchor authpf anywhere in the filter rules section (head, tail, anywhere in between). If the users' rulesets contain translation rules (nat, rdr, binat), you'll need to insert nat-anchor, rdr-anchor, binat-anchor rules at the appropriate place in the main ruleset similarly. authpf(8) has an example ruleset, too. Daniel [1] http://www.openbsd.org/cgi-bin/man.cgi?query=authpf
