I like the idea (as I suggested that before:
http://marc.theaimsgroup.com/?l=openbsd-pf&m=105215655418099&w=2) Somehow
Henning didn't like the idea back then, and as I got my rules working w/o I
did not implement it.
Vincent's patch might need some minor improvements and changes, but the idea
is right IMO. We should keep in mind that firewall admins are not allways
programmers and will appreachiate such helpers. Unless you tell me an *easy*
way to get a *full* dump of all rules in place at any given time, that is
*readable* I'd like to have something like Vincent's patch in pfctl.
Remember the pain when all of a sudden all webserver traffic is blocked and
you find that it was some rule inside of an authpf anchor that caused the
headache ... sure I hear you screaming that that's a beginner's fault, but
everybody starts as a beginner and we should help them to get on the train
and not tell them to bugger of and learn to write C before *useing* a
firewall, IMO.
Max
> Hi all,
>
> I started to use OpenBSB and PF a few weeks ago, and I must say I'm
> really satisfied with this. The anchor system is definitely a nice
> feature!
> However, in the beginning, I've had some hard time debugging my fw
> rules, when anchors were involved. So I've tried to add an "anchor
> expansion option" to pfctl, to help in such situations.
> As I've seen some people had talked about such an expansion in a
> previous thread, I've decided to share my few code lines with the
> list...
> To face the "pfctl output should be a valid pfctl input" issue, I've
> addded a "#" at the beginning of every expanded line (ie for every rule
> related to an anchor). However, I still wonder if it is a good idea use
> a printf for it, or if these rules should be shown using fprintf on
> stderr... Any idea about this ?
>
> Here is a (dumb) sample of a "modified pfctl" output :
> 1) without expansion
> # pfctl -sr
> block drop in all
> block drop out all
> anchor test all
> pass in on rl0 all
>
> # pfctl -sn
> nat on rl1 inet all -> (rl1)
> nat-anchor test all
>
> 2) with expansion
> # pfctl -sr -E
> block drop in all
> block drop out all
> anchor test all
> # pass in on rl1 inet proto tcp from any to any port = ssh
> pass in on rl0 all
>
> # pfctl -sn -E
> nat on rl1 inet all -> (rl1)
> nat-anchor test all
> # nat on rl0 inet proto tcp from 172.16.1.2 to any port = www ->
192.168.1.1
> # rdr on rl1 inet proto tcp from any to 192.168.1.1 port = www ->
172.16.1.1 port 8080
>
> The patch was done using pfctl code from OpenBSD 3.3.
> Every comment or suggestion about it is welcome !
>
> --
> Vincent - [EMAIL PROTECTED]
>
