Hallo all, I have question for advanced PF users/admins. I wanted to create multi level anchors firewall (config created using fwbuilder, only important rules pasted):
========== /etc/firewall.conf ========== anchor "PolicyIn" in inet from any to any no state label "From main to PolicyIn" anchor "PolicyInLAN" in on vic0 inet from any to any no state label "From main to PolicyInLAN" load anchor PolicyIn from "/etc/firewall-PolicyIn.conf" load anchor PolicyIn-LAN from "/etc/firewall-PolicyIn-LAN.conf" load anchor PolicyInLAN from "/etc/firewall-PolicyInLAN.conf" ======================================== ========== /etc/firewall-PolicyIn.conf ========== anchor "PolicyIn-LAN" in on vic0 inet from any to any no state label "From PolicyIn to PolicyIn-LAN" ================================================= ========== /etc/firewall-PolicyIn-LAN.conf ========== pass quick inet proto tcp from any to 10.2.2.50 port 24 label "2nd level anchor" ===================================================== ========== /etc/firewall-PolicyInLAN.conf ========== pass quick inet proto tcp from any to 10.1.3.50 port 24 label "1st level anchor" ==================================================== My idea: there is one rule for all incoming traffic in the main table redirecting this traffic to anchor "PolicyIn". In the "PolicyIn" anchor there are other rules specifying each interface and redirecting to another anchors, e.g. redirecting to anchor "PolicyInLAN" for LAN interface. It means - packets should go from main to PolicyIn and from PolicyIn to PolicyInLAN. But this does not work. I have to redirect to PolicyIn from main and then to PolicyInLAN from main again. In the example configuration, the rule "1st level anchor" pass the traffic to host 10.1.3.50, but the rule "2nd level anchor" to host 10.2.2.50 does not work. Do you have some hint, what is wrong? I have read PF FAQ and pf.conf(5) man page and there is wirtten: pf.conf(5): "... Anchors may be nested, with components separated by `/' characters, similar to how file system hierarchies are laid out. ..." PF FAQ: "... Anchors can be nested which allows for sub rulesets to be chained together. ..." But I am not sure, how the "nesting" should be done correctly? Is the rule "From PolicyIn to PolicyIn-LAN" correct in "PolicyIn" anchor or should it be in main table as following? ----- anchor "PolicyIn/PolicyIn-LAN" in on vic0 inet from any to any no state label "From main to PolicyIn-LAN of PolicyIn" ----- Thank you very much for you answers. Regards, Robert Wolf
