On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
You are correct, Kristof.
If I place the table in the rdr rule - it starts keeping counters,
however,
what is the point of having the ability to place a table in a
rdr-anchor
rule in the first place, if it won't be able to keep counters?
Tables are not just about counters. They’re about making a rule filter
on a whole selection of addresses (or ranges).
In this case you’re choosing to filter what traffic may go into the
anchor.
Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule
in the anchor itself?
I'm doing the followi ng scenario:
table <xyztable> counters
table <othertable> persist
rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
no-rdr on igb0 from any to <othertable> port 123
rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
load anchor ASDFGH from "/etc/ASDFGH-anchor"
# contents of /etc/ASDFGH-anchor:
# (tested separately)
# rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
192.168.0.1
port 124 # no counters
# rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
192.168.0.1 port 124 # counters working
So, in this case - how do I keep counters in the <xyztable> without
breaking the current "workflow"?
If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all
rdr
rules @ the anchor - I won't ever be able to reach
123->192.168.0.1:124
Is there a way?
I have no idea, and I’m not the best person to talk to about how to
configure your firewall.
Best regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
