[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Streamlining pf.conf with Anchors

Hello [email protected],
basically, I've been using the OpenBSD/pf combo for a
good 12 months+ now with just the one subnet and all
the rules jumbled together in pf.conf. Now I decided
that I want to add use anchors as at somepoint I will
be adding two more subnets to my firewall. Well I am
not sure if it just me but I am unable to use anchors?
Okay example:
$ cat pf.conf
# /etc/pf.conf(5)
# Macros
ext_if = "tun0"
int_if = "fxp1"
# Tables
# Options
set require-order yes
set optimization conservative
set block-policy drop
set state-policy if-bound
# Normalization
scrub in on $ext_if all\
min-ttl 100 max-mss 1460\
no-df fragment reassemble
scrub out on $ext_if all\
min-ttl 10 max-mss 1460\
scrub on $ext_if inet proto tcp\
reassemble tcp
# Queues
# Translation
# Mask the Internal Network
nat on $ext_if inet proto { tcp, udp, icmp }\
from $int_if:network to any -> ($ext_if)\
sticky-address static-port
# FTP-Proxy for the Internal Network and pass
rdr pass on $int_if inet proto tcp\
from $int_if:network to any port 21\
-> port 8021
# Filtering
# Sub-ruleset: Default
anchor a_Default
 block log on $ext_if all
 antispoof for $ext_if
 pass quick on lo0 all
#=========================== [ Sub-ruleset: Intranet ]
anchor a_IntNet
 pass quick on $int_if all
 pass out on $ext_if inet proto tcp\
  from $int_if:network to any port\
  { http, https }\
  flags S/SA modulate state
 pass out on $ext_if inet proto tcp\
  from $int_if:network to any port\
  { pop3, smtp }\
  flags S/SA modulate state
 pass out on $ext_if inet proto tcp\
  from $int_if:network to any port\
  { ssh }\
  flags S/SA modulate state
I have been fiddling all day, searched google.com and
MARC, read http://openbsd.org/faq/pf/anchors.html till
I pulled my hair out, even man 5 pf.conf - none yield
no enlightenment?
Do I need nat-anchor? or something?? why so does it
have to be so difficult.
Does anyone have a pf.conf with anchors I can use as
an example? I am probably not the only one who would
benefit from this :o)
Ade Devereux
"Great works are performed, not by strength, but by perseverance."
~~ Samuel Johnson
ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com