Hopefully someone else will be able to help. On Tue, Jan 5, 2021 at 9:42 PM Kristof Provost <k...@freebsd.org> wrote:
> On 5 Jan 2021, at 20:35, Dobri Dobrev wrote: > > You are correct, Kristof. > > > > If I place the table in the rdr rule - it starts keeping counters, > > however, > > what is the point of having the ability to place a table in a > > rdr-anchor > > rule in the first place, if it won't be able to keep counters? > > > Tables are not just about counters. They’re about making a rule filter > on a whole selection of addresses (or ranges). > In this case you’re choosing to filter what traffic may go into the > anchor. > Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule > in the anchor itself? > > > I'm doing the followi ng scenario: > > table <xyztable> counters > > table <othertable> persist > > > > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 > > no-rdr on igb0 from any to <othertable> port 123 > > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > # contents of /etc/ASDFGH-anchor: > > # (tested separately) > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 # no counters > > # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 -> > > 192.168.0.1 port 124 # counters working > > > > So, in this case - how do I keep counters in the <xyztable> without > > breaking the current "workflow"? > > If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all > > rdr > > rules @ the anchor - I won't ever be able to reach > > 123->192.168.0.1:124 > > > > Is there a way? > > I have no idea, and I’m not the best person to talk to about how to > configure your firewall. > > Best regards, > Kristof > _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
