Am 02.01.2019 21:35 schrieb Klemens Nanni:
Anchor 11 is the twelfth rule in your main ruleset (the anchor rule),
in which the first rule established this state.
Ouch, overlooked this one. Thanks..
Provide your ruleset so we can look at actual rules without guessing in
case your problem persists, `pfctl -a\* -s rules' prints them including
anchors.
Hmm, still a bit ambigious:
===
@11 anchor "relayd/*" all {
[ Evaluations: 21256227 Packets: 845613 Bytes: 363090876 States:
31 ]
[ Inserted: uid 0 pid 12958 State Creations: 16822 ]
anchor "depa_portal_http" all {
}
anchor "depa_portal_https" all {
}
anchor "rnexus_portal_http" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 80 flags S/SA keep state (tcp.established 600) tag RNEXUS_PORTAL_HTTP
rdr-to <rnexus_portal_http:1> port 60280 round-robin sticky-address
[ Evaluations: 8919094 Packets: 1101 Bytes: 56088 States:
0 ]
[ Inserted: uid 89 pid 29940 State Creations: 162 ]
}
anchor "rnexus_portal_https" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 443 flags S/SA keep state (tcp.established 600) tag
RNEXUS_PORTAL_HTTPS rdr-to <rnexus_portal_https:1> port 60643
round-robin sticky-address
[ Evaluations: 13343728 Packets: 253 Bytes: 57853 States:
0 ]
[ Inserted: uid 89 pid 29940 State Creations: 18 ]
}
anchor "ssfn-imaps" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 993 flags S/SA keep state (tcp.established 600) tag SSFN_IMAPS rdr-to
<ssfn-imaps:1> port 993 round-robin sticky-address
[ Evaluations: 169032000 Packets: 4965436 Bytes: 1932456130
States: 22 ]
[ Inserted: uid 89 pid 29940 State Creations: 33036 ]
}
====
So, for every redirect one anchor (as expected/designed) - and each has
a rule 0.
Besides from the ip/port tuple (the state in question was to port 993),
I cannot follow this down
to which relayd-subanchor?
ciao
--
pb
