Well, you'll have to get the other params correct too (in/out and the
real userId).I have the following...
pass out quick log on outside inet proto tcp \
user proxy modulate state queue(Q0,Q7)
And it works correctly at assigning the local ftp-proxy daemon's
traffic, where "proxy" is its running userID, to its queue.
/S
-----Original Message-----
From: Stefan Schulze Frielinghaus <[EMAIL PROTECTED]>
To: scott <[EMAIL PROTECTED]>
Cc: misc@openbsd.org
Subject: Re: pf tag/tagging and packages from localhost
Date: Mon, 25 Feb 2008 12:31:31 +0100
Mailer: Evolution 2.12.3 (2.12.3-1.fc8)
Delivered-To: [EMAIL PROTECTED]
I tried it without success. I guess the user feature is for something
different. A quote from pf.conf(5):
This rule only applies to packets of sockets owned by the specified
user. For outgoing connections initiated from the firewall, this
is the user that opened the connection. For incoming connections
to the firewall itself, this is the user that listens on the desti-
nation port.
My interpretation of this is that if I use your example policy:
> pass in inet proto tcp from any to any port 80 \
> user <FacilityDaemonID> tag MYTAG \
> keep state
that it means that all incoming traffic to user "FacilityDaemonID" would
be tagged with "MYTAG". _But_ it wouldn't tag packets outgoing from the
local user "FacilityDaemonID".
Nevertheless I really like this feature (thanks for the hint) and I use
policies like this one:
pass out quick on $ext_if inet proto udp from ($ext_if) \
to any port domain user root keep state
This policy should only pass packets form localhost which I wanted to
achieve. My other RDR/NAT/DMZ forwarding and whatever rules don't get
touched my this rule.
Best regards
Stefan
On Sun, 2008-02-24 at 12:18 -0500, scott wrote:
> RE: LOCAL HOSTS DON'T...
>
> You can use the "user" or "group" criteria to identify the
> facility/service (daemon) and tag their packets accordingly.
>
> #
> pass in inet proto tcp from any to any port 80 \
> user <FacilityDaemonID> tag MYTAG \
> keep state
> ...
> pass out ... tagged MYTAG
> #
>
> You may be able to further refine the any/any criteria.
>
> -----Original Message-----
> From: Stefan Schulze Frielinghaus <[EMAIL PROTECTED]>
> To: misc@openbsd.org
> Subject: pf tag/tagging and packages from localhost
> Date: Sat, 23 Feb 2008 19:59:54 +0100
> Mailer: Evolution 2.12.3 (2.12.3-1.fc8)
> Delivered-To: [EMAIL PROTECTED]
>
>
> But that rule makes me a headache. I can't use "tagged" (or at least I
> don't know how to do it) because packets from localhost don't run
> through an input chain and I can't tag them.
