PF not keeping counters in a counters-defined table
Kristof Provost
kp at FreeBSD.org
Tue Jan 5 19:42:19 UTC 2021
On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
> You are correct, Kristof.
>
> If I place the table in the rdr rule - it starts keeping counters,
> however,
> what is the point of having the ability to place a table in a
> rdr-anchor
> rule in the first place, if it won't be able to keep counters?
>
Tables are not just about counters. They’re about making a rule filter
on a whole selection of addresses (or ranges).
In this case you’re choosing to filter what traffic may go into the
anchor.
Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule
in the anchor itself?
> I'm doing the followi ng scenario:
> table <xyztable> counters
> table <othertable> persist
>
> rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> no-rdr on igb0 from any to <othertable> port 123
> rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
>
> load anchor ASDFGH from "/etc/ASDFGH-anchor"
> # contents of /etc/ASDFGH-anchor:
> # (tested separately)
> # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> 192.168.0.1
> port 124 # no counters
> # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
> 192.168.0.1 port 124 # counters working
>
> So, in this case - how do I keep counters in the <xyztable> without
> breaking the current "workflow"?
> If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all
> rdr
> rules @ the anchor - I won't ever be able to reach
> 123->192.168.0.1:124
>
> Is there a way?
I have no idea, and I’m not the best person to talk to about how to
configure your firewall.
Best regards,
Kristof
More information about the freebsd-pf
mailing list