On 5 Jan 2021, at 14:42, Dobri Dobrev wrote:
#
------------------------------------------------------------------------------------------------
# /etc/pf.conf:
set timeout tcp.first 45
set timeout tcp.opening 45
set timeout tcp.closing 15
set timeout tcp.finwait 15
set timeout tcp.closed 10
set timeout interval 10
set timeout tcp.established 3600
set timeout src.track 10
set limit table-entries 500000
set limit states 2000000
set limit src-nodes 2000000
set require-order no
set block-policy drop
set ruleset-optimization basic
set skip on lo0
table <xyztable> counters
rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
load anchor ASDFGH from "/etc/ASDFGH-anchor"
# contents of /etc/ASDFGH-anchor:
# rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
192.168.0.1
port 124
#
Use pflog to confirm, but I’m pretty sure your issue is that you’re
hitting the rdr rule in the anchor, which doesn’t contain the table
with the counters rather than the anchor rule.
Counts are only done on the final matching rule, not on all of the rules
looked at along the way.
Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
