Hi,
I have been playing with anchors lately and I am missing some thing.
The machine is "4.7 GENERIC#558 i386"
The pf.conf is
========================================
int_if="vr0"
ext_ifA="sk0"
ext_ifT="vr1"
set loginterface sk0
set skip on lo
match out on $ext_ifA inet from $int_if:network \
to any nat-to ($ext_ifA)
match out on $ext_ifT inet from $int_if:network \
to any nat-to ($ext_ifT)
block in log (all)
anchor atelonly
load anchor atelonly from "/etc/pf-confs/anchor-atelonly"
anchor tataonly
anchor atelandtata
pass in log (all, to pflog1) on $int_if
=========================================
Now the firewall is running on these rules
============================================
# pfctl -sr
match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin
match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin
block drop in log (all) all
anchor "atelonly" all
anchor "tataonly" all
anchor "atelandtata" all
pass in log (all, to pflog1) on vr0 all flags S/SA keep state
# pfctl -sA
atelandtata
atelonly
tataonly
# pfctl -a atelandtata -sr
# pfctl -a tataonly -sr
# pfctl -a atelonly -sr
pass out log (all, to pflog2) quick on sk0 all flags S/SA keep state
#
==============================================
I have the following pflog interfaces
===============================================
pflog1: flags=41<UP,RUNNING> mtu 33200
priority: 0
groups: pflog
pflog2: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
pflog3: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
pflog4: flags=41<UP,RUNNING> mtu 33200
priority: 0
groups: pflog
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
=================================================
in pflog2 I can see the traffic passing out through sk0 to the
internet. Fine :-)
now I run the following commands to stop traffic to the internet
through sk0 and use the second internet connection instead.
So my idea is to
1) change the default route to that of the second internet connection by
#route change -inet default 1ss.2ee.1ff.1
2) Load the ahcnor tataonly with rules from
============================
# cat /etc/pf-confs/anchor-tataonly
ext_ifT="vr1"
pass out log (all, to pflog3) quick on $ext_ifT
=============================
by
#pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly"
3) clear rules and states created by them from anchor "atelonly" by
#pfctl -a atelonly -F all
Now I execute the following commands and these are the outputs
===============================================
# route change -inet default 121.247.145.1
change net default: gateway 121.247.145.1
# pfctl -a tataonly -f "/etc/pf-confs/anchor-tataonly"
# pfctl -a atelonly -F all
rules cleared
0 tables deleted.
#
==================================================
Now according to the pfctl man page
-F all Flush all of the above. ( i.e including states )
-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor.
So as said the rules in the anchor atelonly is flushed
=====================================================
# pfctl -sr
match out on sk0 inet from 172.16.0.0/12 to any nat-to (sk0) round-robin
match out on vr1 inet from 172.16.0.0/12 to any nat-to (vr1) round-robin
block drop in log (all) all
anchor "atelonly" all
anchor "tataonly" all
anchor "atelandtata" all
pass in log (all, to pflog1) on vr0 all flags S/SA keep state
# pfctl -a atelonly -sr
# pfctl -a tataonly -sr
pass out log (all, to pflog3) quick on vr1 all flags S/SA keep state
#
=========================================================
and I can see traffic going out to the internet through vr1 on pflog3
but there is still traffic going out through the insternet through sk0
which can be seen in pflog2.
So I guess the states made by those rules in the anchor "atelonly"
were not cleared?
How do I clear only those states?
I now tried
doing a
## pfctl -a atelonly -F states
1469 states cleared
before doing
# pfctl -a atelonly -F all
then I lose my ssh connection with the firewall :-(
Is it because it clears all the states instead on the ones created by
"-a atelonly" ?
How do I flush just the states created by an anchor ruleset when I flush them?
anchor "atelandtata" holds nothing now but if I do a
#pfctl -a atelandtata -ss
it shows all the states.
but the man page says
-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor.
Am I misunderstanding the wordings by some means?
Could some one please explain?
Thanks :-)
--Siju
