Your packet flow looks like this: IN <nuser> ----> $wan_if (Packets from <nuser> enter on $wan_if on port 1194/TCP => tag 'NORM')
IN any ----> $tun_if (Packets from any can enter on $tun_if on port {80,443}/TCP _if_ they were tagged 'NORM' before) In this case packets that enter on $wan_if/$tun_if have nothing to do with each other, hence PF handles them separately. (first seen) IN OUT <nuser> ----> $wan_if ---> $tun_if (Packets entering on $wan_if on port 1194/TCP get tagged 'NORM' and can leave on $tun_if to port { 80, 443 }/TCP _if_ they were tagged 'NORM' before) Now PF knows about the relationship between $wan_if and $tun_if. -Mark On Fri, Nov 11, 2005 at 03:37:57PM +0100, Wild Karl-Heinz wrote: > In message "pf tagging and matching over more than one interface ..." > on 11.11.2005, David fire <[EMAIL PROTECTED]> writes: > > Df> you only tag the package to port 1194 in both case and you are allowing > only > Df> tagged packaged to ports 22, 80, 443 > > Port 1194 on wan_if is handled by openvpn. > Then the data will be redirected to the > tun interface and there I'll filtering the > traffic. > > Sorry, I did't explain enough. > > Df> 2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>: > >> > >> I try to tag a connection on the wan_if and > >> accordingly on the tag I'll restrict the > >> access on an other interface like. > >> > >> an example ... > >> > >> pass in quick on wan_if proto tcp from <nuser> to port 1194 tag NORM > >> keep state > >> pass in quick on wan_if proto tcp from <puser> to port 1194 tag POWER > >> keep state > >> > >> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state > >> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state > >> > >> ... > >> > >> but I don't know why. It doesn't work. > >> I thought that works. > >> > >> I ask for advice. > >> Thanks > >> > >> Karl-Heinz > -- Mark Patruck - Security Consultant patruck consulting http://www.patruck-consulting.de