The pf.conf -- with the tag/tagged -- is a long-time working config. All I did (trying to do) is move the rdr, in the redacted form, to an anchor as shown.
In the future, there's going to be a very large number of rdr's and I'm seeking a cleaner and effective variant. It's behaving as if the tag's scope is inside the anchor only; therefore, is not seen by the larger pf.conf. /S -----Original Message----- From: Calomel <[EMAIL PROTECTED]> Reply-To: Calomel <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: pf anchors with tag/tagged Date: Fri, 8 Feb 2008 11:30:17 -0500 Delivered-To: [EMAIL PROTECTED] Are the pass rules valid for the packets you are redirecting? A redirect rule and pass rule like the following works without issue. rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH -> lo0 port $SshPort pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort $SynState tagged OPENSSH OpenBSD Pf Firewall "how to" ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote: >(sorry, orig post errantly had no subject) > >Trying to redact (simplify) pf rdr statements by moving the repeating >(common) criteria to the top. > >The rules load error free. The pfctl -vvsnat shows the rdr-anchor in >place; however, tcpdump shows the block rules being hit AS IF THE >TAG/TAGGED IS NOT BEING "SEEN." > >Anyone, any ideas? > >Thanks... > >/etc/pf.anchor.rdr1 ># ----- >anchor log on outside inet proto tcp \ >from !<droplist> to (outside:0) { >rdr port 25 tag T1 -> 192.168.2.225 >rdr port 5060 tag T1 -> 192.168.2.200 >rdr port 443 tag T2 -> 192.168.2.250 >} ># --- > >/etc/pf.conf >rdr-anchor "/etc/pf.anchor.rdr1" >... >block all >... >pass log quick ...tagged T1 ... >pass log quick ...tagged T2 ... >...
