Re: pf and Cisco route map equivalent?
On Wed, 2005-03-23 at 15:21, Xavier wrote: > Hi, > > Just one question... Maybe stupid, pardon me! > Can I define sort of "route maps" such as > in Cisco devices with pf? > > Ex: if source address = x.x.x.x -> send to next hop "y.y.y.y" yes--"route-to" can be used for this: pass in on $int_if route-to ($ext_if y.y.y.y) inet from x.x.x.x \ to any keep state -j -- "Asleep at the switch? I wasn't asleep, I was drunk!" --The Simpsons
Re: pf and ftp
On Wed, 23 Mar 2005 13:22:40 -0500, Peter Fraser <[EMAIL PROTECTED]> wrote: > Siju George <[EMAIL PROTECTED]> asked for examples of ftp > clients that do not work with ftp-proxy. > > The simplest example is the Microsoft ftp client that comes > with Windows XP. > Thankyou so much peter :)) Its the same with the default ftp client with Win 2003 also I think?? I got the problem here :)) kind regards Siju
Re: pf and Cisco route map equivalent?
On Wed, 23 Mar 2005 21:21:58 +0100 (CET), Xavier <[EMAIL PROTECTED]> wrote: > Hi, > > Just one question... Maybe stupid, pardon me! > Can I define sort of "route maps" such as > in Cisco devices with pf? > > Ex: if source address = x.x.x.x -> send to next hop "y.y.y.y" > YUP !!! You can use the "route-to" option in PF. I will post a portion of working example from my firewall below, explanation is also given below. # Gateway IP of the DSL Internet connection (next hop) # dsl_gw = "ip.ip.ip.ip" # # Pass and Route all Packets from the LAN with source IP mentioned #in the table # through the DSL connection # pass in quick on $int_if route-to ( $ext_ifdsl $dsl_gw ) \ from to any keep state # #Pass all packets from LAN to Internet # pass in on $int_if from $int_if:network to any keep state # # EXPLANATION -- The firewall is connected to 1) LAN switch through $int_if 2) cable internet connection through $ext_ifcm 3) DSL connection through $ext_ifdsl The default route of the firewall (/etc/mygate) is the Gateway (next hop) for the cable internet connection. So when packets arrive on the $int_if, it goes through the filter rules and if a Packet has the source address that belongs to the table then it matches the rule pass in quick on $int_if route-to ( $ext_ifdsl $dsl_gw ) \ from to any keep state since the above rule has the quick word in it no further processing is done. and since the rule has the route-to option in it the Firewall's routing table is bypassed ( not consulted at all ) but the route specified in the rule ( $dsl_gw) is followed and the packet is sent to the interface $ext_if dsl. Now when a packet from the LAN arrives on the $int_if which has the source address that does not belong to the table it goes through the filtering rules and matches the rule pass in on $int_if from $int_if:network to any keep state so for these packets the Firewall's routing table is consulted and routed acordingly ( In this case the "/etc/mygate" file contains the Gateway address (next hop) for the cable internet connection so it goes out through that connection through $ext_ifcm. hope its clear :)) --Siju
pf load balancing, macros, tables...
Hi all, I'm in the process of setting up a group of load balanced servers, and I've come across something (I think) is a bit unusal with macros and tables and load balancing. I use tables fairly extensively in our two 3.6-stable OBSD pf/CARP firewalls, and I'd like to use them in configuring our load balanced server groups in pf. It seems that this works: rdr on $ext proto tcp from any to $web_servers_ext port 80 -> \ round-robin sticky-address yet this does not: rdr on $ext proto tcp from any to port 80 -> \ round-robin sticky-address Is this working as advertised or am I missing something? FWIW: I noticed this is the only place in the ruleset I would like to use multiple tables (vs macros) in one rule, so I'm wonding if this is a "one-table-per-customer" issue or if this is something particular to load balancing. As it's *so* easy to add / delete servers from the load balanced server group when IPs are all you see when you open that particular table, having use of two tables in one rule would be particularly nifty. As always, thanks. Kevin -- http://www.ebiinc.com : Employee Background Screening from EBI A leader in corporate background checks, worldwide.
Re: can you help me meashuring traffic using OpenBSD's pf?
On Wed, Mar 23, 2005 at 03:19:13AM -0800, Ian wrote: " Hi, " " I beleive you can acheive this with the use of properly labeled rules, " and then gather information with them and produce output, here is an " article where some perl is used to create graphs, I imagine it would " be simple to output the data into bytes which you desire as well. " " http://www.samag.com/documents/s=9053/sam0403j/0403j.htm " " " Hope that helps. " " " -Ian Thank you Ian, I read this article a week ago, but it is not useful for me :(. Of course, I can write some rules with labels and meashure traffic. But this will be bad brandmauer (Like in example in your URL) and I can write good brandmauer, but labels in it can't meashure incoming and outgouing traffic. For example: block all pass out on $ext_if from any to any keep state This rule good because make safe and BIDIRECTIONAL connect. You see, this rule can't be labeled. because if I set label at last rule, I will mesure sum of incoming AND outgoing traffic. Not separately. Please, correct me if I'm wrong. -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский
Re: can you help me meashuring traffic using OpenBSD's pf?
On Tue, Mar 22, 2005 at 04:49:37PM -0500, David Chubb wrote: " pfstat can do that pretty well. " " http://www.benzedrine.cx/pfstat.html " " You can also view my companies pfstat implementation: " " http://black.dev.virpack.com/pfstat/ " " Enjoy. " Thank you David. I was trying this port. I see it use "set loginterface" feature. Unfortunely this command can set only one interface. So, I have 3 intarfaces: 0 -> internet 1 -> first department 2 -> second department To measure incoming and outgouing traffic in first and second departments separately, I can't use this port. Perhaps I need to do following: 1) set loginterface 0 and write good brandmauer on this interface, 2) set rules like: pass out on [1] all label first_out pass in on [1] all label first_in pass out on [2] all label second_out pass in on [2] all label second_in and measure traffic by labels. With this information I perhaps can calculate incoming and outgouing traffic of first and second department, and calculate traffic of gateway (because gateway mashine of course can work with internet too) using this data and total traffic. (Total traffic we meashure when set loginterface feature). What do you think about? -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский
Re: can you help me meashuring traffic using OpenBSD's pf?
On Thu, Mar 24, 2005 at 02:58:51PM +0300, Eugene M. Minkovskii wrote: > Yes, it can help me and I do this in one of networks, were I'm > system administrator. But I has other network where gateway has 3 > network interface (I wrote this some time ago to David in this > tread). I can't set loginterface more than one. So now I have > following plan: Try pfctl -vvsI. pf does keep counters for each interface, not just the one set as loginterface. Daniel
Re: lan-lan bridge filtering with nat possible ?
On Wed, Mar 23, 2005 at 11:17:28PM +0100, fabien.misto wrote: > the bridge filtering continues to work, but not the nat. > I don't know if it's possible. No, translation (nat, rdr) doesn't generally work on pure bridges. The reason for that is on ethernet level, the way IP and MAC addresses relate, and how things break when pf just replaces IP addresses. Daniel
Re: can you help me meashuring traffic using OpenBSD's pf?
On Thu, Mar 24, 2005 at 01:40:53AM -0800, Ian wrote: " Hmm, yeah this gets difficuilt. If you have extra computers, you " could setup an IPless box running pf with just two rules, pass all " out, pass all in, and then label each and measure based on that. But " that's just another box to manage and such, and i'm sure there's " better ways to measure the traffic from the pf box itself, if not " directly from pf. what about the output from pfctl -s info? i.e.: " " Interface Stats for fxp1 IPv4 IPv6 " Bytes In 83613814340 " Bytes Out 591564563 352 " " " could you use that information? " Yes, it can help me and I do this in one of networks, were I'm system administrator. But I has other network where gateway has 3 network interface (I wrote this some time ago to David in this tread). I can't set loginterface more than one. So now I have following plan: # macros ext_if="rl0" int_if1="rl1" ## <= for first department of our companie int_if2="rl2" ## <= for second department of our companie # options set loginterface $ext_if # rules block all on $ext_if pass out on $ext_if from any to any keep state <...other rules with keep state feature on $ext_if...> # this is the end of brandmauer rules pass out all in $int_if1 label DEPARTMENT_1_IN pass out all out $int_if1 label DEPARTMENT_1_OUT pass out all in $int_if2 label DEPARTMENT_2_IN pass out all out $int_if2 label DEPARTMENT_2_OUT For the first looking last four rules can labeled inbound and outbound traffic on the internal interfaces. This mean, I can gather total traffic informaition using pfctl -si command, and internal traffic information using labels. BUT! When internal mashin in first department make connection to the internet, this connection puts into state table and don't pass into labeled rules. I'm afraid that this trouble can't be solve using pf. So I have ten days to think about, and after that, I will be forced to install ipcad or other similar program. -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский
Re: pf load balancing, macros, tables...
On Wed, Mar 23, 2005 at 10:47:34PM -0800, Kevin wrote: > yet this does not: > rdr on $ext proto tcp from any to port 80 -> \ > round-robin sticky-address There was a bug fixed recently where pf would fail to select a translation when a rule did not have an explicit (or implicit) address family (IPv4/v6). This was backported to 3.6-stable, maybe you have an older kernel. To test the theory, add 'inet' to your rule, which makes the address family explicit. If this is not the problem, describe exactly how 'it is not working'. Daniel
Re: load-balancing outgoing connections openned by the firewall on 3.6
On Wed, Mar 23, 2005 at 06:47:49PM -0300, Emilio Lucena wrote: > The question now is why NAT is not having its chance to rewrite the > packets with the right source IP address? Try using 'set state-policy if-bound'. Without it, the re-routed packet cannot create a second state entry on the second interface. Enable debug logging with 'pfctl -xm' and check /var/log/messages for entries from pf. Daniel
Re: Passing RDR outside of RDR rule
On Mon, Mar 21, 2005 at 10:11:31PM -0500, Jim Fron wrote: > Any thoughts as to what I'm doing wrong? It's probably some simple mistake in manipulating the ruleset. Make sure you have both filter and translation rules loaded successfully, i.e. run # pfctl -sn and check whether rdr rule is correctly loaded like you intend. One somewhat obscure mistake is to run "pfctl -R -f /etc/pf.conf", misunderstanding the effect of -R, and not getting one's translation rules replaced. Daniel
Re: can you help me meashuring traffic using OpenBSD's pf?
Maybe I'm missing something about your requirements, but why not just us MRTG? It will measure input/output on as many interfaces as you want. Since all it *really* does is graph data, it can also be used to measure virtually anything. It is relatively easy to create scripts that gather data about the state of pf (via calls to pfctl -si etc) and feed it into MRTG. No need to use loginterface or pfstat. There is a ton of documentation out there for MRTG, but start here: http://mrtg.hdl.com/mrtg.html cheers o On Thu, 24 Mar 2005 14:58:51 +0300, Eugene M. Minkovskii <[EMAIL PROTECTED]> wrote: > On Thu, Mar 24, 2005 at 01:40:53AM -0800, Ian wrote: > " Hmm, yeah this gets difficuilt. If you have extra computers, you > " could setup an IPless box running pf with just two rules, pass all > " out, pass all in, and then label each and measure based on that. But > " that's just another box to manage and such, and i'm sure there's > " better ways to measure the traffic from the pf box itself, if not > " directly from pf. what about the output from pfctl -s info? i.e.: > " > " Interface Stats for fxp1 IPv4 IPv6 > " Bytes In 83613814340 > " Bytes Out 591564563 352 > " > " > " could you use that information? > " > > Yes, it can help me and I do this in one of networks, were I'm > system administrator. But I has other network where gateway has 3 > network interface (I wrote this some time ago to David in this > tread). I can't set loginterface more than one. So now I have > following plan: > > # macros > ext_if="rl0" > int_if1="rl1" ## <= for first department of our companie > int_if2="rl2" ## <= for second department of our companie > > # options > set loginterface $ext_if > > # rules > block all on $ext_if > pass out on $ext_if from any to any keep state > <...other rules with keep state feature on $ext_if...> > > # this is the end of brandmauer rules > pass out all in $int_if1 label DEPARTMENT_1_IN > pass out all out $int_if1 label DEPARTMENT_1_OUT > pass out all in $int_if2 label DEPARTMENT_2_IN > pass out all out $int_if2 label DEPARTMENT_2_OUT > > For the first looking last four rules can labeled inbound and > outbound traffic on the internal interfaces. This mean, I can > gather total traffic informaition using pfctl -si command, and > internal traffic information using labels. > > BUT! > > When internal mashin in first department make connection to the > internet, this connection puts into state table and don't pass > into labeled rules. > > I'm afraid that this trouble can't be solve using pf. So I have > ten days to think about, and after that, I will be forced to > install ipcad or other similar program. > > > -- > Sensory yours, Eugene Minkovskii > Сенсорно ваш, Евгений Миньковский >
Re: PF and IP Precedence
What exactly does PF think 'lowdelay' is though? I need to specificly
make sure IP precedence 5 packets are given priority over other traffic
(except maybe IP precedence 6 and 7).
I found buried in the pf.conf man page that I should be able to specify
a TOS value using something like:
pass out on IF inet proto tcp from any to any tos 0xYY keep state queue
QUEUE
where YY is, I assume, the hexadecimal TOS byte.
I really don't want to specify ports because all the VoIP traffic may
not use the same ports all the time. I want to give priority to and/or
allocate bandwidth to packets based on thier IP precedence/DSCP/TOS value.
If PF gives priority to packets based on thier IP precedence/DSCP value
automaticly, I don't really have to worry about it unless I want to make
sure a specific amount of bandwidth is always available for certain TOS
value packets.
So, assuming I need to use the tos option in my rules to make things
work the way I want, my next question is can multiple TOS values be
specified in the same rule or do I need to make separate rules for each
TOS value?
Thanks.
Henning Brauer wrote:
* John Merriam <[EMAIL PROTECTED]> [2005-03-23 17:50]:
Hello. I'm using PF on FreeBSD 5.3. I would like to know how PF
handles precedence information in IP packets. I'm referring to the
header data described in RFC 1812 sections 5.3.2 and 5.3.3 (part of TOS
byte).
I guess the first question would be, does PF handle precedence
automatically?
If not, can prioritization based on IP precedence be achieved with ALTQ
or some other mechanism?
yes, you can specify two queues per rule, one we call "priority queue",
and packets with precedence set to lowdelay go to said prio queue.
it's not like the manpage wouldn't document that of course
Packets can be assigned to queues based on filter rules by using the
queue keyword. Normally only one queue is specified; when a second one
is specified it will instead be used for packets which have a TOS of
lowdelay and for TCP ACKs with no data payload.
To continue the previous example, the examples below would specify the
four referenced queues, plus a few child queues. Interactive ssh(1) ses-
sions get priority over bulk transfers like scp(1) and sftp(1). The
queues may then be referenced by filtering rules (see PACKET FILTERING
below).
queue std bandwidth 10% cbq(default)
queue http bandwidth 60% priority 2 cbq(borrow red) \
{ employees, developers }
queue developers bandwidth 75% cbq(borrow)
queue employees bandwidth 15%
queue mail bandwidth 10% priority 0 cbq(borrow ecn)
queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
queue ssh_interactive priority 7
queue ssh_bulk priority 0
block return out on dc0 inet all queue std
pass out on dc0 inet proto tcp from $developerhosts to any port 80 \
keep state queue developers
pass out on dc0 inet proto tcp from $employeehosts to any port 80 \
keep state queue employees
pass out on dc0 inet proto tcp from any to any port 22 \
keep state queue(ssh_bulk, ssh_interactive)
pass out on dc0 inet proto tcp from any to any port 25 \
keep state queue mail
--
John Merriam
NETPLEX Technical Specialist
[EMAIL PROTECTED] (860)233- x303
LEGAL NOTICE:
Unless expressly stated otherwise, this message is confidential and may
be privileged. It is intended for the addressee(s) only. Access to
this e-mail by anyone else is unauthorized. If you are not an
addressee, any disclosure or copying of the contents of this e-mail or
any action taken (or not taken) in reliance on it is unauthorized and
may be unlawful. If you are not an addressee, please inform the sender
immediately.
Re: can you help me meashuring traffic using OpenBSD's pf?
..an example of what you are talking about from my system I just restarted, I am not clear how to zero these stats - pfctl -z doesn't seem to do it (only two ifs) : # pfctl -vvs Interfaces .. many other interfaces snipped... dc0 (instance, attached) Cleared: Wed Mar 23 03:02:28 2005 References: [ States: 0 Rules: 80 ] In4/Pass:[ Packets: 6651059Bytes: 7939874529 ] In4/Block: [ Packets: 150Bytes: 9494 ] Out4/Pass: [ Packets: 5273669Bytes: 1091643115 ] Out4/Block: [ Packets: 916Bytes: 71051 ] In6/Pass:[ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 0 Bytes: 0 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 0 Bytes: 0 ] dc1 (instance, attached) Cleared: Wed Mar 23 03:02:28 2005 References: [ States: 0 Rules: 44 ] In4/Pass:[ Packets: 5402136Bytes: 1181987103 ] In4/Block: [ Packets: 320Bytes: 24200 ] Out4/Pass: [ Packets: 6379997Bytes: 7609498012 ] Out4/Block: [ Packets: 52 Bytes: 2753 ] In6/Pass:[ Packets: 0 Bytes: 0 ] In6/Block: [ Packets: 0 Bytes: 0 ] Out6/Pass: [ Packets: 0 Bytes: 0 ] Out6/Block: [ Packets: 0 Bytes: 0 ] ..many other interfaces snipped... There is also an snmp interface that may fit with some of the company's existing net monitoring/stat tools: http://www.packetmischief.ca/openbsd/snmp/ Rob Oliver Neubauer wrote: Maybe I'm missing something about your requirements, but why not just us MRTG? It will measure input/output on as many interfaces as you want. Since all it *really* does is graph data, it can also be used to measure virtually anything. It is relatively easy to create scripts that gather data about the state of pf (via calls to pfctl -si etc) and feed it into MRTG. No need to use loginterface or pfstat. There is a ton of documentation out there for MRTG, but start here: http://mrtg.hdl.com/mrtg.html cheers
Re: can you help me meashuring traffic using OpenBSD's pf?
On Thu, Mar 24, 2005 at 02:17:55PM +0100, Daniel Hartmeier wrote: " On Thu, Mar 24, 2005 at 02:58:51PM +0300, Eugene M. Minkovskii wrote: " " > Yes, it can help me and I do this in one of networks, were I'm " > system administrator. But I has other network where gateway has 3 " > network interface (I wrote this some time ago to David in this " > tread). I can't set loginterface more than one. So now I have " > following plan: " " Try pfctl -vvsI. pf does keep counters for each interface, not just the " one set as loginterface. " " Daniel Wou! I does not know it! Thank you very match. -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский
Re: pf load balancing, macros, tables...
> > yet this does not: > > rdr on $ext proto tcp from any to port 80 -> > > \ > > round-robin sticky-address > > There was a bug fixed recently where pf would fail to select a > translation when a rule did not have an explicit (or implicit) address > family (IPv4/v6). This was backported to 3.6-stable, maybe you have an > older kernel. To test the theory, add 'inet' to your rule, which makes > the address family explicit. > > If this is not the problem, describe exactly how 'it is not working'. Mea culpa. I really should have given you more to go on. :-( That said, when looking at a tcpdump -netttvvvi pflog0 port 80, it was as you suspected: pf apparently wasn't selecting an appropriate translation rule so connections were getting blocked my the default block rule. As described, simply changing to rule to this: rdr on $ext inet proto tcp from any to port 80-> \ round-robin sticky-address makes everything pass through like a champ. Now to grab an updated 3.6-stable. :-) Thanks so much. Kevin
Re: Passing RDR outside of RDR rule
It's probably some simple mistake in manipulating the ruleset. Make
sure
you have both filter and translation rules loaded successfully, i.e.
run
# pfctl -sn
No errors...
and check whether rdr rule is correctly loaded like you intend.
Check.
One somewhat obscure mistake is to run "pfctl -R -f /etc/pf.conf",
misunderstanding the effect of -R, and not getting one's translation
rules replaced.
I presume `pfctl -F all -f pf.conf` should suffice?
Okay, time to post the entire ruleset. This is my test ruleset, which
fails. If I change the one "rdr on" rule to rdr PASS, it works.
lan = "le0"
wlan = "le2"
INT = "192.168.1.0/24"
ext = "le1"
table { 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16,
255.255.255.255/32 \
240.0.0.0/5, 248.0.0.0/5}
table const { 224.0.0.0/4, 192.168.1.0, 192.168.1.255 }
table const { 224.0.0.251 }
bmcast_prot = "{ udp }"
bmcast_port = "{ 5353 }"
ROUTER = "192.168.1.1"
ext_svc = "{ http }"
fwd_lan_port = "{ 999, 1001 }"
ext_scan_ports = "{ 21, 22, 23, 25, 53, 79, 110, 111, 137, 138, 139,
143, 512 }"
fwd_lan_dest_ip = 192.168.1.9
fwd_lan_dest_port =
icmp_allow = "{ echoreq, echorep, timex, unreach }"
br_wlan_tcp_svc_port = "{ 548 }"
br_wlan_udp_svc_port = "{ 3689 }"
wlan_svc_prot = "{ udp }"
wlan_svc_port = "{ domain }"
lan_svc = "{ ssh, domain }"
ext_prio_ports = "{ ssh, domain }"
set optimization normal
set block-policy return
scrub in all no-df fragment reassemble
scrub out on $ext all no-df fragment reassemble random-id
altq on $ext priq bandwidth 500Kb queue \
{ q_ext_high, q_ext_med, q_ext_bulk }
queue q_ext_high priority 5
queue q_ext_med priority 4
queue q_ext_bulk priority 1 priq(default)
nat on $ext from $INT to any -> $ext
rdr on $ext inet proto tcp \
to port $fwd_lan_port -> $fwd_lan_dest_ip port
$fwd_lan_dest_port
block log-all all
pass quick on lo0
pass in log-all quick on $lan from $INT to any keep state
pass in log-all quick on $wlan inet proto $bmcast_prot from $INT \
to port $bmcast_port
pass in log-all quick on $wlan inet proto udp from $INT to $INT \
port $br_wlan_udp_svc_port keep state
pass in log-all quick on $wlan inet proto tcp from $INT to $INT \
port $br_wlan_tcp_svc_port flags S/SA keep state
pass in log-all quick on $wlan inet proto $wlan_svc_prot from $INT to
$ROUTER \
port $wlan_svc_port keep state
pass in log-all quick on $wlan inet proto icmp from $INT to $INT \
icmp-type $icmp_allow keep state
block in log-all quick on $wlan from any to
block in log-all quick on $wlan from any to
block in log-all quick on $wlan from any to $ext
pass in log-all quick on $wlan inet proto icmp from $INT to any \
icmp-type $icmp_allow keep state
block in log-all quick on $wlan inet proto icmp
pass in log-all quick on $wlan from $INT to any keep state
block drop in log-all quick on $ext from to any
block drop in log-all quick on $ext from to any
pass in log-all quick on $ext inet proto icmp from any to $ext \
icmp-type $icmp_allow keep state
#
#
# IT DOESN'T MATTER WHICH OF THE FOLLOWING TWO RULES IS UNCOMMENTED,
# IT STILL FAILS
#
pass in log-all quick on $ext inet proto tcp from any \
to port $fwd_lan_port keep state
#
#pass in log-all quick on $ext inet proto tcp from any to \
# $fwd_lan_dest_ip port $fwd_lan_dest_port keep state
#
#
pass in log-all quick on $ext inet proto tcp from any to $ext \
port $ext_svc flags S/SA keep state
block drop in log-all quick on $ext inet proto { tcp, udp } \
from any to any port $ext_scan_ports
block drop in log-all quick on $ext
pass out log-all quick on $lan from any to any keep state
pass out log-all quick on $wlan from any to any keep state
block out log-all quick on $ext from any to
pass out log-all quick on $ext inet proto tcp from any to any \
port $ext_prio_ports flags S/SA \
queue(q_ext_med, q_ext_high) keep state
pass out log-all quick on $ext inet proto tcp from any to any \
flags S/SA queue(q_ext_bulk, q_ext_high) keep state
pass out log-all quick on $ext inet proto { udp, icmp } \
from any to any queue q_ext_med keep state
Re: Passing RDR outside of RDR rule
On Thu, Mar 24, 2005 at 08:36:31PM -0500, Jim Fron wrote: > > # pfctl -sn > > No errors... Can you please post the verbatim output of pfctl -vvsn? Daniel
Re: Passing RDR outside of RDR rule
On Mar 24, 2005, at 8:55 PM, Daniel Hartmeier wrote: Can you please post the verbatim output of pfctl -vvsn? Got it. Unlike /bin/sh, which does NOT concatenate a comment line ending in \ with the following line, pf.conf considers # foo \ bar to be a multi-line comment. Hence, in testing: #rdr pass on $ext inet proto tcp \ rdr on $ext inet proto tcp \ to port $fwd_lan_port -> $fwd_lan_dest_ip port $fwd_lan_dest_port No rdr rules were loaded, nor were any errors thrown. (Having one of those "duh" moments...)
Re: Passing RDR outside of RDR rule
On Mar 24, 2005, at 8:55 PM, Daniel Hartmeier wrote: On Thu, Mar 24, 2005 at 08:36:31PM -0500, Jim Fron wrote: # pfctl -sn No errors... Can you please post the verbatim output of pfctl -vvsn? Interesting: With rules as posted: @0 nat on le1 inet from 192.168.1.0/24 to any -> 69.241.239.150 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] Strange. No rdr's. But no errors while _loading_ the rdr rules, either. Hmmm. Unfortunately, I accidentally blew away the original while doing a line-by-line modification. Whatever the problem was, I either had bad whitespace or comments, as all I have in my terminal's scrollback buffer is a diff showing only comments and lines that differ by indentation. Don't know. All I can say is, it's working now. Sorry for the bother.
