PF PF anchors pass all rule

Hello ,

I need some help about pf anchors. I have configured my firewall for basic usage
and I like to use anchors to provide firewall rules to my jails services.

I define the anchors in pf configurtaion as:
Code:
rdr-anchor jws01
rdr-anchor jws02
And use the following auto load them in the configuration file:

Code:
anchor jws01
load anchor jws01 /root/pfanchors/jws01.cfg

anchor jws02
load anchor jws02/root/pfanchors/jws02cfg
The rules are loaded correctly but the anchors create a new rule for each anchor loaded:
pfctrl -gsr
Code:
@35 anchor "jws01" all
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
@36 anchor "jws02" all
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
pftop -v rules
Code:
  35         Pass     Any                                 9      498        *       all
  36         Pass     Any                             22753 19359748        *       all
   0 /jws01  Pass     In      Q ng0    tcp       K        9      498        *       inet from any to 10.0.1.3/32 port = ssh  flags S/SA

How I can load the anchors without create the pass all rule ?
 
I'd say pftop(8) doesn't quite know how to parse anchors. I think the "rule 35" here is how pf records/reports that it is passing control to an anchor.

This has been the case: https://www.mail-archive.com/misc@openbsd.org/msg66035.html -- and that was post 0.7, the current version. (It hasn't been updated in quite a while. This thread is from openbsd; but I'd wager it's the same issue.)

Perhaps try pfctl -ga '*' -sr per pfctl(8) to get a better view with anchors.
 
Thank for you reply and here is the results :

pfctl -a "*" -gsr
Code:
@39 anchor "jws01" all {
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  @0 pass in quick on ng0 inet proto tcp from any to 10.0.1.1 port = ssh flags S/SA keep state (if-bound)
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
}
@40 anchor "jws02" all {
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  @0 pass in quick on ng0 inet proto tcp from any to 10.0.1.2 port = ssh flags S/SA keep state (if-bound)
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
}
@41 anchor "jws03" all {
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  @0 pass in quick on ng0 inet proto tcp from any to 10.0.1.3 port = ssh flags S/SA keep state (if-bound)
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
}

Just in case I test the connectivity of jws03.
I keep the nat rule:
Code:
rdr on ng0 inet proto tcp from any to (ng0) port = 99322 -> 10.0.1.3 port 22
and remove the pass in rule:
Code:
pass in quick on ng0 inet proto tcp from any to 10.0.1.3 port = ssh flags S/SA keep state (if-bound)

To see if the access to port 22 was permitted by the pass all rule and it was not.
All good, case closed :)
 
I think it makes more sense if you see the pass any from any as part of the anchor itself. Because that's the rule that passes the traffic to the anchor. pftop(8) probably treats this as a separate rule.
You can do cool stuff like this too:
Code:
anchor foo 
# ^ Is the same as this:
anchor foo from any to any

anchor bar on re0 from 10.0.0.0/8 to 172.16.0.0/16
The rules in the bar anchor are only parsed if the traffic passes re0 and has a source address in 10.0.0.0/8 and a destination address in 172.16.0.0/16.
 
Back
Top