• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PF PF anchors pass all rule

N10n105

New Member


Messages: 6

#1
Hello ,

I need some help about pf anchors. I have configured my firewall for basic usage
and I like to use anchors to provide firewall rules to my jails services.

I define the anchors in pf configurtaion as:
Code:
rdr-anchor jws01
rdr-anchor jws02
And use the following auto load them in the configuration file:

Code:
anchor jws01
load anchor jws01 /root/pfanchors/jws01.cfg

anchor jws02
load anchor jws02/root/pfanchors/jws02cfg
The rules are loaded correctly but the anchors create a new rule for each anchor loaded:
pfctrl -gsr
Code:
@35 anchor "jws01" all
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@36 anchor "jws02" all
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
pftop -v rules
Code:
  35         Pass     Any                                 9      498        *       all
  36         Pass     Any                             22753 19359748        *       all
   0 /jws01  Pass     In      Q ng0    tcp       K        9      498        *       inet from any to 10.0.1.3/32 port = ssh  flags S/SA
How I can load the anchors without create the pass all rule ?
 

Eric A. Borisch

Well-Known Member

Thanks: 203
Messages: 312

#2
I'd say pftop(8) doesn't quite know how to parse anchors. I think the "rule 35" here is how pf records/reports that it is passing control to an anchor.

This has been the case: https://www.mail-archive.com/misc@openbsd.org/msg66035.html -- and that was post 0.7, the current version. (It hasn't been updated in quite a while. This thread is from openbsd; but I'd wager it's the same issue.)

Perhaps try pfctl -ga '*' -sr per pfctl(8) to get a better view with anchors.
 

N10n105

New Member


Messages: 6

#3
Thank for you reply and here is the results :

pfctl -a "*" -gsr
Code:
@39 anchor "jws01" all {
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  @0 pass in quick on ng0 inet proto tcp from any to 10.0.1.1 port = ssh flags S/SA keep state (if-bound)
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
}
@40 anchor "jws02" all {
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  @0 pass in quick on ng0 inet proto tcp from any to 10.0.1.2 port = ssh flags S/SA keep state (if-bound)
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
}
@41 anchor "jws03" all {
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  @0 pass in quick on ng0 inet proto tcp from any to 10.0.1.3 port = ssh flags S/SA keep state (if-bound)
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
}
Just in case I test the connectivity of jws03.
I keep the nat rule:
Code:
rdr on ng0 inet proto tcp from any to (ng0) port = 99322 -> 10.0.1.3 port 22
and remove the pass in rule:
Code:
pass in quick on ng0 inet proto tcp from any to 10.0.1.3 port = ssh flags S/SA keep state (if-bound)
To see if the access to port 22 was permitted by the pass all rule and it was not.
All good, case closed :)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,993
Best answers: 10
Messages: 26,751

#4
I think it makes more sense if you see the pass any from any as part of the anchor itself. Because that's the rule that passes the traffic to the anchor. pftop(8) probably treats this as a separate rule.
You can do cool stuff like this too:
Code:
anchor foo 
# ^ Is the same as this:
anchor foo from any to any

anchor bar on re0 from 10.0.0.0/8 to 172.16.0.0/16
The rules in the bar anchor are only parsed if the traffic passes re0 and has a source address in 10.0.0.0/8 and a destination address in 172.16.0.0/16.
 
Top