On Wed, Dec 18, 2013 at 8:42 AM, Camiel Dobbelaar <c...@sentia.nl> wrote: > On 18/12/13 13:53, Maxim Khitrov wrote: >> >> When writing outbound rules in pf, is there an accepted best practice >> for only matching packets that are either forwarded or >> firewall-generated? >> >> The best that I could come up with is 'received-on all' as a way of >> identifying forwarded packets, but that option can't be negated to >> match packets that were not received on any inbound interface (i.e. >> those generated by the firewall itself). >> >> Another option is 'from (self)', but then you have to be careful with >> any preceding nat rules. Ideally, I want a solution that doesn't >> depend on the context. I also tried to use tags in combination with >> 'received-on', but it became rather messy and created conflicts with >> other tag usage. >> >> What is everyone else using to solve this problem? > > > Check the "user" option in pf.conf(5): > > user <user> > This rule only applies to packets of sockets owned by the > specified user. For outgoing connections initiated from the > firewall, this is the user that opened the connection. For > incoming connections to the firewall itself, this is the user > that listens on the destination port. For forwarded > connections, > where the firewall is not a connection endpoint, the user and > group are unknown. >
I tried that a while ago and it doesn't work as documented: http://marc.info/?l=openbsd-bugs&m=137650531124231&w=2 http://marc.info/?l=openbsd-bugs&m=137658379014570&w=2