Anchor evaluation

David DeSimone fox at verio.net
Fri May 17 20:29:28 UTC 2013 

Manoj Ganesan <manoj.ganesan at gmail.com> wrote:
>
> I'm probably doing something very silly here, which I can't figure out. I'm
> trying to get an anchor to be evaluated, but I can't seem to get traffic to
> go through.
> 
> My /etc/pf.conf looks like:
> 
> rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 ->
> 10.0.211.62 port 4321
> nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 ->
> 10.0.111.71 port 1234
> pass out all
> 
> I want to replace these by an anchor like so (my /etc/pf.conf looks like):
> 
> anchor my_anchor
> load anchor gamenode from "/usr/home/my_user/my_anchor"

You're telling PF to evaluate an anchor "my_anchor" but you named the
anchor "gamenode", so there are no rules to be evaluated in that case.


> where the /usr/home/my_user/my_anchor looks like:
> 
> rdr pass log on ix0 proto udp from 10.0.111.61 to any port 1234 ->
> 10.0.211.62 port 4321
> nat pass log on ix0 from 10.0.211.62 port 4321 to 10.0.111.61 ->
> 10.0.111.71 port 1234
> pass out all
> 
> But while the anchor-less case lets packets through, the anchor case
> doesn't. Am I doing something wrong here?

The "anchor" directive tells PF to only evaluate filter rules from the
anchor.  I would assume you also need "nat-anchor" and "rdr-anchor"
directives to force all of the anchor rules to be evaluated:

    nat-anchor my_anchor
    rdr-anchor my_anchor
        anchor my_anchor

    load anchor my_anchor from "/usr/home/my_user/my_anchor"

-- 
David DeSimone == Network Admin == fox at verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free.  Thank you.

More information about the freebsd-pf mailing list