I have 2 weirdnesses occurring with anchors. Running pf compiled in kernel, on FreeBSD 6.1 i386 Here's the scenario... i have the following configs
-----quote section from pf.conf ---- anchor "test/*" load anchor test from "/etc/pf/anchors/test" -----quote section from pf.conf ---- (this pf.conf has a default block set) ----- quote /etc/pf/anchors/test ----- anchor test.000 load anchor test.000 from "/etc/pf/anchors/test.000" ----- quote /etc/pf/anchors/test ----- ----- quote /etc/pf/anchors/test.000 ----- pass in quick on em0 inet proto tcp from any to em0 port 80 \ flags S/SA modulate state ----- quote /etc/pf/anchors/test.000 ----- Weirdness number 1... anchors declared within anchors are not evaluating. I load the rules: pfctl -e -f /etc/pf.conf pfctl -s Anchors # shows the following test test.000 pfctl -s rules # shows the following anchor "test/*" all however I cannot connect to port 80 from another machine on the same network... there is no test.000 loading in the main ruleset. Weirdness number 2... can't destroy anchors? commented out lines in pf.conf -----quote section from pf.conf ---- #anchor "test/*" #load anchor test from "/etc/pf/anchors/test" -----quote section from pf.conf ---- flushed everything out... and reloaded everything... # pfctl -a test.00 -F all rules cleared nat cleared pfctl: Anchor or Ruleset does not exist. why does this not exist??? # pfctl -a test -F all rules cleared nat cleared 0 tables deleted. # pfctl -F all -f /etc/pf.conf rules cleared nat cleared 0 tables deleted. altq cleared 9 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset # pfctl -s Anchors test test.000 ............ so why are these anchors still defined???? Any clarification or workaround for these anchor weirdnesses would be greatly appreciated. I am working towards having a fairly static pf.conf and the changable rules stuff being located within anchors only. Cheers, David
