Hi,
I'm relatively new to PF anchors, so forgive me if I'm missing something basic. I'm currently trying to allow a pass on TCP port 4840 using anchors and testing on a client to see if I can connect. After configuring the anchor, it still doesn't seem to allow the port to pass. However, If I manually edit the anchor file and reboot it works.
The command I'm running to open the port is:
This adds the port, and I can see the rule added to the anchor. However, I can't connect with my client still.
The only workaround I have at the moment is hard coding the anchor with anchor tcopcuaserver { } and rebooting. Is there some reloading I need to do after adding the rule to the anchor?
Here are my pf.conf and bhf anchor file:
I'm relatively new to PF anchors, so forgive me if I'm missing something basic. I'm currently trying to allow a pass on TCP port 4840 using anchors and testing on a client to see if I can connect. After configuring the anchor, it still doesn't seem to allow the port to pass. However, If I manually edit the anchor file and reboot it works.
The command I'm running to open the port is:
Bash:
echo "pass in quick proto tcp to port 4840" | doas pfctl -a "bhf/tcopcuaserver" -f -This adds the port, and I can see the rule added to the anchor. However, I can't connect with my client still.
Bash:
doas pfctl -a "bhf/tcopcuaserver" -sr
pass in proto tcp from any to any port = 4840 flags S/SA keep stateThe only workaround I have at the moment is hard coding the anchor with anchor tcopcuaserver { } and rebooting. Is there some reloading I need to do after adding the rule to the anchor?
Here are my pf.conf and bhf anchor file:
Code:
# pf.conf file
set skip on lo0
scrub in all
# allow dynamic NAT configuration (e.g. luemuctl)
nat-anchor "bhf-nat/*"
# allow dynamic port forwarding configuration (e.g. luemuctl)
rdr-anchor "bhf-rdr/*"
# block all incoming and allow all outgoing traffic
block return in all
pass out quick all
# allow icmp6
pass in quick proto icmp6 all
# allow icmp4 (ping)
pass in quick inet proto icmp all icmp-type { echoreq, unreach }
# allow ssh
pass in quick proto tcp to port ssh
# allow dynamic configuration for Beckhoff specific services
anchor bhf
load anchor bhf from "/etc/pf.conf.d/bhf"
Code:
# BHF File
# allow IPC Diagnostics
pass in quick proto tcp to port https
# allow ADS secure
pass in quick proto tcp to port 8016
pass in quick proto udp to port 48899
# allow dynamic configuration for legacy ADS
anchor ads
# allow dynamic configuration for bhyve
anchor "bhyve/*"
# allow dynamic configuration for TwinCAT ADS Monitor - AMS Logger
anchor tcamslog
# allow dynamic configuration for TF2000-HMI-Server
anchor tchmisrv
# allow dynamic configuration for OPC-UA server
anchor tcopcuaserver