Inline anchors

Robin Gruyters (Snow) Thu, 26 Feb 2009 02:31:15 -0800

Hi ya,

I'm trying to use inline anchors to prioritize inbound and outbound
traffic for hosting traffic. So basically when a maintainer wants to allow
inbound traffic to the hosting server, it only has to add a "pass" rule
into the hosting/inbound.


But when I try to load the PF rules (configuration below), I get the
following message:
> pfctl -nf pf.conf
pf-hosting.conf:12: port only applies to tcp/udp
pf-hosting.conf:12: skipping rule due to errors
pf-hosting.conf:12: rule expands to no valid combination
pf-hosting.conf:13: port only applies to tcp/udp
pf-hosting.conf:13: skipping rule due to errors
pf-hosting.conf:13: port only applies to tcp/udp
pf-hosting.conf:13: skipping rule due to errors
pf-hosting.conf:13: port only applies to tcp/udp
pf-hosting.conf:13: skipping rule due to errors
pf-hosting.conf:13: port only applies to tcp/udp
pf-hosting.conf:13: skipping rule due to errors
pf-hosting.conf:13: port only applies to tcp/udp
pf-hosting.conf:13: skipping rule due to errors
pf-hosting.conf:13: port only applies to tcp/udp
pf-hosting.conf:13: skipping rule due to errors
pf-hosting.conf:13: rule expands to no valid combination
pf-hosting.conf:17: port only applies to tcp/udp
pf-hosting.conf:17: skipping rule due to errors
pf-hosting.conf:17: rule expands to no valid combination
pfctl: load anchors

Someone has any idea how to solve this, or maybe a better solution?

Here are my configuration files:

[pf.conf]
# Interfaces
ext_if="vr0"

# Set logging on external interface
set loginterface $ext_if

# disable filtering on loopback interface
set skip on lo

# Normalize incoming traffic
scrub in

# Default
block in
pass out log

# Activate spoofing protection (no quick yet)
antispoof for $ext_if inet

# Create anchors for Hosting
anchor "hosting/*"
load anchor "hosting/*" from "pf-hosting.conf"
[/pf.conf]

[pf-hosting.conf]
# Interfaces
ext_if="vr0"

# Hosts
hosting = "aaa.bbb.ccc.ddd"  # hosting server

# Ports
allowed_ports = "{smtps, submission, http, https \
                imap, imaps}"

anchor "inbound" in quick proto tcp to $hosting flags S/SA keep state {
        pass log to port smtp
        pass to port $allowed_ports
}

anchor "outbound" out quick proto tcp from $hosting flags S/SA keep state {
        pass log to port smtp
}
[/pf-hosting.conf]

With kind regards,

Robin Gruyters

Inline anchors

Reply via email to