skipto keyword in pf

[Damien Fleuriot]

On 7 May 2013, at 16:01, Ian FREISLICH <ianf at clue.co.za> wrote:

> Nomad Esst wrote:
>>> Well, tags could help here. With a concrete example of what you want, it
>>> would be easier to suggest a solution.
>> 
>>> Regards.
>> 
>> Aren't anchors useful as David DeSimone said?
> 
> Yes they are.  I used to do the following in ipfw:
> 
> 10 skipto 1200 ip from any to any in recv vlan2
> 20 skipto 1200 ip from any to any out xmit vlan2
> 30 skipto 1300 ip from any to any in recv vlan3
> 40 skipto 1300 ip from any to any out xmit vlan3
> 50 skipto 1400 ip from any to any in recv vlan4
> 60 skipto 1400 ip from any to any out xmit vlan4
> ...
> 100 deny log  ip   from any to any
> ...
> 1200 vlan2 rules
> ...
> 1299 deny log  ip   from any to any
> 1300 vlan3 rules
> ...
> 1399 deny log  ip   from any to any
> 1400 vlan4 rules
> ...
> 1499 deny log  ip   from any to any
> 
> 
> In pf I do the following:
> 
> anchor vlan2 quick on vlan2
> load anchor vlan2 from "/var/db/firewall/vlan2"
> anchor vlan3 quick on vlan3
> load anchor vlan3 from "/var/db/firewall/vlan3"
> anchor vlan4 quick on vlan4
> load anchor vlan4 from "/var/db/firewall/vlan4"
> 


Would you kindly elaborate on the quick keyword in conjunction with anchors ?

I would assume that makes all the rules within the anchor quick ?



> and I put the rules for each vlan in their own file. as an example:


If you only use anchors to cleanly split your rules, 9.x's PF supports includes, by the way, a feature that's been missing for so long ;)



Also, @OP:
Note that if you use anchors, NAT and rdr rules need to be loaded like so:

nat-anchor test
rdr-anchor test
anchor test
load anchor test from "/etc/pf/anchor_test"

Otherwise, don't be surprised if your NATs and RDRs mysteriously aren't applied