The anchors are in the running rule set, per the man and faq examples, right in the nat/rdr top-of-the-rule-set section, just not shown in the (snip) included in the post. If they weren't there the "user proxy" version of snip wouldn't be working.
Thanks for the link, it *may* be relevant; however, the fact that [pass quick] "user proxy" works and [pass quick] "tagged <tag>" does not -- in an otherwise IDENTICAL rule set -- suggests that order (placement with regard to anchors) is NOT a factor (in my case). If the anchor's "quick" was in play, then -I would think that- the "user proxy" version rule would never be a positive factor AND the [pass quick] "tagged <tag> version would NOT be failing on the final BLOCK ALL rule. The anchor-quick would have already happened. Additionally, the "pfctl -vvvs rules" counters are ZERO for the "tagged <tag>" version and otherwise correct and incrementing for "user proxy" version. -----Original Message----- From: Camiel Dobbelaar <[EMAIL PROTECTED]> To: S. Scott Sima, CISA, CISM <[EMAIL PROTECTED]> Cc: misc@openbsd.org Subject: Re: openbsd 4.2 + ftp-proxy -T + pf +tag/tagged not working Date: Tue, 11 Dec 2007 07:31:01 +0100 Mailer: Thunderbird 2.0.0.9 (Windows/20071031) I don't see the anchors, you need those with tagging too. Other then that, it may still not work as expected, see: http://marc.info/?l=openbsd-misc&m=119729395125104&w=2 _________________________ The information contained in this email and attachments, in whole or in part, termed "COVERED INFORMATION," is for the exclusive use of the adB-dressee and contains confidential information requested and/or transmitted with an expectation of privacy and confidentiality. If the recipient of COVERED INFORMATION is not the addressee, such recipient is strictly prohibited from any use in any way including but not limited to reading, copying, distribution or retention. Please notify sender by reply of the error and destroy all instances of the COVERED INFORMATION in your possession or control.