All macros, redirections and rules must be in the that uses it anchor as I understand it. Take a look at the anchors section of this link.
OpenBSD Pf Firewall "how to" ( pf.conf ) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Fri, Feb 08, 2008 at 01:24:40PM -0500, scott wrote: >The pf.conf -- with the tag/tagged -- is a long-time working config. All >I did (trying to do) is move the rdr, in the redacted form, to an anchor >as shown. > >In the future, there's going to be a very large number of rdr's and I'm >seeking a cleaner and effective variant. > >It's behaving as if the tag's scope is inside the anchor only; >therefore, is not seen by the larger pf.conf. > >/S > > > > >-----Original Message----- >From: Calomel <[EMAIL PROTECTED]> >Reply-To: Calomel <[EMAIL PROTECTED]> >To: misc@openbsd.org >Subject: Re: pf anchors with tag/tagged >Date: Fri, 8 Feb 2008 11:30:17 -0500 >Delivered-To: [EMAIL PROTECTED] > >Are the pass rules valid for the packets you are redirecting? A redirect >rule and pass rule like the following works without issue. > >rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH -> >lo0 port $SshPort >pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort >$SynState tagged OPENSSH > > > OpenBSD Pf Firewall "how to" ( pf.conf ) > http://calomel.org/pf_config.html > >-- > Calomel @ http://calomel.org > Open Source Research and Reference > > >On Fri, Feb 08, 2008 at 08:35:44AM -0500, S. Scott Sima, CISA, CISM wrote: >>(sorry, orig post errantly had no subject) >> >>Trying to redact (simplify) pf rdr statements by moving the repeating >>(common) criteria to the top. >> >>The rules load error free. The pfctl -vvsnat shows the rdr-anchor in >>place; however, tcpdump shows the block rules being hit AS IF THE >>TAG/TAGGED IS NOT BEING "SEEN." >> >>Anyone, any ideas? >> >>Thanks... >> >>/etc/pf.anchor.rdr1 >># ----- >>anchor log on outside inet proto tcp \ >>from !<droplist> to (outside:0) { >>rdr port 25 tag T1 -> 192.168.2.225 >>rdr port 5060 tag T1 -> 192.168.2.200 >>rdr port 443 tag T2 -> 192.168.2.250 >>} >># --- >> >>/etc/pf.conf >>rdr-anchor "/etc/pf.anchor.rdr1" >>... >>block all >>... >>pass log quick ...tagged T1 ... >>pass log quick ...tagged T2 ... >>...
