Re: Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT Syntax

Fri, 04 Nov 2011 21:09:50 -0700 

In the case of the LAN_INET and the LAN_DMZ wouldn't one need to apply the
quick rule?

If you ping a DMZ server from the internal net, pass in on $int_if from
$int_net tag LAN_INET on it will be tagged with LAN_INET. However, because the
quick option isn't inserted in the rule pf will keep evaluating the ping with
the next rule pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ

Will this wrongly tag the packet?

________________________________________
From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Axton
[axton.gr...@gmail.com]
Sent: Thursday, November 03, 2011 6:50 PM
To: misc
Subject: Patch for FAQ - PF: Packet Tagging (Policy Filtering) - New NAT
Syntax

This is a patch to update the FAQ at
http://www.openbsd.org/faq/pf/tagging.html with the nat syntax changes
introduced in 4.7 (http://openbsd.org/faq/upgrade47.html#newPFnat):

$ diff -ub tagging.html.bak tagging.html
--- tagging.html.bak    2011-11-03 17:40:01.596053714 -0500
+++ tagging.html        2011-11-03 17:47:07.696539268 -0500
@@ -199,7 +199,7 @@
 <blockquote>
 <tt>
 block all<br>
-pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)<br>
+match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)<br>
 pass in on $int_if from $int_net tag LAN_INET<br>
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ<br>
 pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ<br>
@@ -256,7 +256,7 @@
 # classification -- classify packets based on the defined firewall
 # policy.
 block all
-pass out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)<br>
+match out on $ext_if tag LAN_INET_NAT tagged LAN_INET nat-to ($ext_if)<br>
 pass in on $int_if from $int_net tag LAN_INET<br>
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ<br>
 pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ

There is a rule on the page that may also require changes:

pass in on $ext_if proto tcp from <spamd> to port smtp \
   tag SPAMD rdr-to 127.0.0.1 port 8025

I'm not familiar enough with rdr-to to know if this requires changes.
Based on my reading it does not appear to require a change, but
someone needs to check me on this.

Axton Grams

Reply via email to