Em 19-12-2013 11:30, Maxim Khitrov escreveu:
> That's pretty much what I managed to come up with yesterday. I have
> the following two rules at the top: match out from (self) tag SELF
> block out log quick received-on all tagged SELF The second rule is
> mostly a sanity check. It ensures that you can't accidentally add a
> SELF tag to an inbound packet and have it processed as a
> firewall-generated packet. These are followed by a few rules common to
> forwarded and firewall-generated packets. Finally, I split the ruleset
> like so: anchor out quick tagged SELF { block return log # Rules for
> firewall-generated traffic ... } # Rules for forwarded traffic ...
> This seems like a good enough solution, but it would be cleaner if we
> could do '!received-on all'. There is also a risk here that one of the
> preceding rules could overwrite the SELF tag.
Nice. Policy based rulesets with tags are a pain to setup, but when
properly implemented the payoff is great. I, personally, use only tags
to apply packets to the queues, and to prioritize what needs priority.
Another use for tags, that helped me already with a lot of issues, is to
debug the ruleset. These days I had a nat/forwarding issue and used tags
to match the packets and tcpdump/pfctl to be sure that the rules where
indeed not working and made the necessary changes.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
