Streamlining pf.conf with Anchors

Fri, 28 Jan 2005 09:10:35 -0800 

Hello pf@,

basically, I've been using the OpenBSD/pf combo for a
good 12 months+ now with just the one subnet and all
the rules jumbled together in pf.conf. Now I decided
that I want to add use anchors as at somepoint I will
be adding two more subnets to my firewall. Well I am
not sure if it just me but I am unable to use anchors?

Okay example:

$ cat pf.conf
# /etc/pf.conf(5)

#
# Macros
ext_if = "tun0"
int_if = "fxp1"

#
# Tables

#
# Options
set require-order yes
set optimization conservative
set block-policy drop
set state-policy if-bound

#
# Normalization
scrub in on $ext_if all\
min-ttl 100 max-mss 1460\
no-df fragment reassemble
scrub out on $ext_if all\
min-ttl 10 max-mss 1460\
random-id
scrub on $ext_if inet proto tcp\
reassemble tcp

#
# Queues

#
# Translation
# Mask the Internal Network
nat on $ext_if inet proto { tcp, udp, icmp }\
from $int_if:network to any -> ($ext_if)\
sticky-address static-port

# FTP-Proxy for the Internal Network and pass
rdr pass on $int_if inet proto tcp\
from $int_if:network to any port 21\
-> 127.0.0.1 port 8021

#
# Filtering
#
# Sub-ruleset: Default
anchor a_Default
 block log on $ext_if all
 antispoof for $ext_if
 pass quick on lo0 all

#
#=========================== [ Sub-ruleset: Intranet ]
anchor a_IntNet
 pass quick on $int_if all

 pass out on $ext_if inet proto tcp\
  from $int_if:network to any port\
  { http, https }\
  flags S/SA modulate state
 pass out on $ext_if inet proto tcp\
  from $int_if:network to any port\
  { pop3, smtp }\
  flags S/SA modulate state
 pass out on $ext_if inet proto tcp\
  from $int_if:network to any port\
  { ssh }\
  flags S/SA modulate state

#EOF

I have been fiddling all day, searched google.com and
MARC, read http://openbsd.org/faq/pf/anchors.html till
I pulled my hair out, even man 5 pf.conf - none yield
no enlightenment?

Do I need nat-anchor? or something?? why so does it
have to be so difficult.

Does anyone have a pf.conf with anchors I can use as
an example? I am probably not the only one who would
benefit from this :o)

=====
---
Ade Devereux
"Great works are performed, not by strength, but by perseverance."
~~ Samuel Johnson


        
        
                
___________________________________________________________ 
ALL-NEW Yahoo! Messenger - all new features - even more fun! 
http://uk.messenger.yahoo.com

Reply via email to