On 2013/03/11 12:06, Andrew Siegel wrote:
> I've been scratching my head over this one. Here is my pf.conf:
>
> int_if = "em0"
> dmz_if = "em1"
> block log all
> set skip on lo0
> block log quick inet6
> block in log quick on $int_if from ! <rfc1918> to any
> block out log quick on $int_if from any to ! <rfc1918>
> pass out log on $int_if inet proto tcp from $int_if:0 to 10.1.1.1 port ldap
> pass in log on $dmz_if inet proto tcp from $dmz_if:network to $dmz_if:0
> port ldap
> pass in log on $dmz_if inet proto icmp from $dmz_if:network to $dmz_if:0
> pass out log on $dmz_if inet proto icmp from $dmz_if:0 to $dmz_if:network
> pass in log on $int_if inet proto icmp from <rfc1918> to $int_if:0
> pass out log on $int_if inet proto icmp from $int_if:0 to <rfc1918>
> pass in log on $int_if inet proto icmp from <rfc1918> to $dmz_if:network
> pass out log on $dmz_if inet proto icmp from <rfc1918> to $dmz_if:network
> pass in log on $dmz_if inet proto udp from $dmz_if:network to $dmz_if:0
> port ntp
> pass in log on $int_if inet proto tcp from <rfc1918> to { $int_if:0
> $dmz_if:network } port ssh
> pass out log on $dmz_if inet proto tcp from <rfc1918> to $dmz_if:network
> port ssh
> pass out log on $dmz_if inet proto tcp from $int_if:0 to $dmz_if:network
> port ssh
> pass out log on $int_if inet proto udp from $int_if:0 to <dns> port domain
> pass out log on $int_if inet proto udp from $int_if:0 to <ntp> port ntp
>
>
> The problem is that some rules end up out of order in the "pfctl -s rules"
> output (note the icmp rules in particular):
>
> 0 block drop log all
> 1 block drop in log quick on em0 from ! <rfc1918> to any
> 2 block drop out log quick on em0 from any to ! <rfc1918>
> 3 block drop log quick inet6 all
> 4 pass in log on em0 inet proto icmp from <rfc1918> to 192.168.7.2
> 5 pass in log on em0 inet proto icmp from <rfc1918> to 192.168.8.0/24
> 6 pass in log on em0 inet proto tcp from <rfc1918> to 192.168.7.2 port
> = 22 flags S/SA
> 7 pass in log on em0 inet proto tcp from <rfc1918> to 192.168.8.0/24
> port = 22 flags S/SA
> 8 pass out log on em0 inet proto udp from 192.168.7.2 to <dns> port = 53
> 9 pass out log on em0 inet proto udp from 192.168.7.2 to <ntp> port =
> 123
> 10 pass out log on em0 inet proto tcp from 192.168.7.2 to 10.1.1.1 port
> = 389 flags S/SA
> 11 pass out log on em0 inet proto icmp from 192.168.7.2 to <rfc1918>
> 12 pass out log on em1 inet proto icmp from 192.168.8.1 to 192.168.8.0/24
> 13 pass out log on em1 inet proto icmp from <rfc1918> to 192.168.8.0/24
> 14 pass out log on em1 inet proto tcp from <rfc1918> to 192.168.8.0/24
> port = 22 flags S/SA
> 15 pass out log on em1 inet proto tcp from 192.168.7.2 to 192.168.8.0/24
> port = 22 flags S/SA
> 16 pass in log on em1 inet proto tcp from 192.168.8.0/24 to 192.168.8.1
> port = 389 flags S/SA
> 17 pass in log on em1 inet proto icmp from 192.168.8.0/24 to 192.168.8.1
> 18 pass in log on em1 inet proto udp from 192.168.8.0/24 to 192.168.8.1
> port = 123
>
> This is under OpenBSD 5.1. Am I misunderstanding something? Is some kind of
> optimization taking place behind the scenes?
>
> Andy
Yes. From man pfctl:
-o level
Control the ruleset optimizer, overriding any rule file settings.
-o none Disable the ruleset optimizer.
-o basic Enable basic ruleset optimizations. This is the
default behaviour.
-o profile Enable basic ruleset optimizations with profiling.
For further information on the ruleset optimizer, see pf.conf(5).
