Re: pf, anchors, and macros
On Wed, Dec 02, 2015 at 01:37:52PM -0200, Giancarlo Razzolini wrote: > Macros need to be present in each anchor file. Tables don't need to. I > have a little script that copies all my macros after I edit /etc/pf.conf > to the anchors. I use commented marks on /etc/pf.con to know where to > begin copying and where to end. But you get the point. > I think it's always been this way. This may have changed but if you specify filter conditions in your anchor definition the screening you get is combination of the screen on the anchor from the base pf.conf file and the filters specified in the anchor file itself. I use anchors on FreeBSD which is using an older version of pf but I got around the issue this way: --- /etc/pf.conf --- ... anchor imapd in on $ext_if from any to ($ext_if) load anchor imapd from "/etc/pf-anchor-home/imapd.conf" ... --- /etc/pf-anchor-home/imapd.conf - imapd_ports="{ 143, 993 }" pass in proto tcp to any port $imapd_ports keep state That's a simple example. It would honestly be better without the anchor since using the anchor divides the rule up into two places. I do it that way because I can easily split firewalling up across two puppet rules. As Giancarlo wrote, the anchor can use your tables. He didn't mention that the anchor can define it's own macros. The net result of this is: pass in on $ext_if \ from any \ to ($ext_if) port { 143, 993 } \ keep state -- Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*).___o..___..o...ooO..._ Christopher Sean Hilton[chris/at/vindaloo/dot/com]
Re: pf, anchors, and macros
Em 02-12-2015 07:56, Sarevok Anchev escreveu: > .. but I don't think it's relevant as I've tried to run the test between > pf.conf and the base anchor, and still macros defined in pf.conf are not > available from /etc/pf/anchors/base. > > Is this intended behaviour? Macros need to be present in each anchor file. Tables don't need to. I have a little script that copies all my macros after I edit /etc/pf.conf to the anchors. I use commented marks on /etc/pf.con to know where to begin copying and where to end. But you get the point. Cheers, Giancarlo Razzolini
pf, anchors, and macros
I'm puzzled by the following. According to the documentation it should work? The example at http://www.openbsd.org/faq/pf/anchors.html indeed works, but that's an inline anchor. Here's the problem: I would like to define a macro in an anchor, and use that macro in other anchors below it -- like so: [ /etc/pf/anchors/base ] ext_if="ix0" (...) anchor ipsec load anchor ipsec from "/etc/pf/anchors/ipsec" [ /etc/pf/anchors/ipsec ] (...) pass out quick on $ext_if inet proto udp from ($ext_if:0) to port { isakmp, ipsec-nat-t } keep state (...) As far as I understand this should work. Instead the result is: # pfctl -nf /etc/pf.conf /etc/pf/anchors/ipsec:6: macro 'ext_if' not defined /etc/pf/anchors/ipsec:6: syntax error pfctl: load anchors The base anchor is loaded from /etc/pf.conf like so: anchor "base/*" load anchor base from "/etc/pf/anchors/base" .. but I don't think it's relevant as I've tried to run the test between pf.conf and the base anchor, and still macros defined in pf.conf are not available from /etc/pf/anchors/base. Is this intended behaviour? Running on 5.8 release.
Re: PF, anchors and macros
You can search for a thread on this list with the subject "how to manage big pf-rulesets in a comfortable way" - someone posted their makefile for adding a macro set to the start of pf rulesets.
PF, anchors and macros
Hi all, I'm updating my PF rules to include an anchor for my manual routing rules (using route-to) which can then be updated by ifstated when it notices that one of my links has fallen over. As the documentation says, macros are not visible in anchors. Which means that my (growing and rather extensive) list of macros and tables that I use have to be copied and pasted into the top of each anchor file and my pf.conf. Has anyone found a good way of somehow including macros (macros as an anchor don't seem to be possible) into multiple anchors ?? Cheers Dave