Hi, I am trying to learn and understand the pf tagging mechanism. I was wondering whether my understanding of the order in the example at https://www.openbsd.org/faq/pf/tagging.html is correct. If it is, then there might be a mistake in the order. The relevant lines are ... pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress) pass in on $int_if from $int_net tag LAN_INET ... pass out quick on egress tagged LAN_INET_NAT ...
My understanding: For the first line, an IPv4 packet that is already tagged with LAN_INET will now have the tag LAN_INET_NAT, and will be passed out on the egress interface after Network Address Translation. For the second line, a packet that is coming from the internal network on the internal interface will be passed and tagged with LAN_INET. For the third line, a packet that is tagged with LAN_INET_NAT will be passed out on the egress interface, and the rule evaluation will stop. Now, if my understanding is correct, then a packet will never match the first line, since the LAN_INET tagging happens only in the second line. And if that is the case, the third line will also not match, since the LAN_INET_NAT tagging happens in the first line. If my understanding is correct, then we may need to switch the order of the first and second lines. The complete ruleset is int_if = "dc0" dmz_if = "dc1" int_net = "10.0.0.0/24" dmz_net = "192.168.0.0/24" www_server = "192.168.0.5" mail_server = "192.168.0.10" table <spamd> persist file "/etc/spammers" # classification -- classify packets based on the defined firewall # policy. block all pass out on egress inet tag LAN_INET_NAT tagged LAN_INET nat-to (egress) pass in on $int_if from $int_net tag LAN_INET pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ pass in on egress proto tcp to $www_server port 80 tag INET_DMZ pass in on egress proto tcp from <spamd> to port smtp tag SPAMD rdr-to \ 127.0.0.1 port 8025 # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on egress tagged SPAMD pass out quick on egress tagged LAN_INET_NAT pass out quick on $dmz_if tagged LAN_DMZ pass out quick on $dmz_if tagged INET_DMZ Thanks. Regards, ab ---------|---------|---------|---------|---------|---------|---------|--
