![[back]](../../images/back.gif){kind=small}
![[OpenBSD]](../../images/smalltitle.gif){kind=small}
[Previous: Scrub (Packet Normalization)] [Contents] [Next: Packet Queueing and Prioritization]
Sub rulesets are attached to the main ruleset by using anchors. There are four types of anchor rules:
For example:
ext_if = "fxp0"
block on $ext_if all
pass out on $ext_if all keep state
anchor goodguys
This ruleset sets a default deny policy on fxp0 for both incoming and outgoing traffic. Traffic is then statefully passed out and an anchor rule is created named goodguys. Anchors can be populated with rules by two methods:
The load rule causes pfctl to populate the specified anchor and named ruleset by reading rules from a text file. Example:
load anchor goodguys:ssh from "/etc/anchor-goodguys-ssh"
When the main ruleset is loaded, the rules listed in the file /etc/anchor-goodguys-ssh will be loaded into the named ruleset ssh attached to the goodguys anchor.
To add rules to an anchor using pfctl, the following type of command can be used:
# echo "pass in proto tcp from 192.0.2.3 to any port 22" \
| pfctl -a goodguys:ssh -f -
This adds a pass rule to the ruleset named ssh attached to the goodguys anchor. PF will then evaluate this rule (and any other filter rules that get added) when it reaches the anchor goodguys line in the main ruleset.
Rules can also be saved and loaded from a text file:
# cat >> /etc/anchor-goodguys-www
pass in proto tcp from 192.0.2.3 to any port 80
pass in proto tcp from 192.0.2.4 to any port { 80 443 }
# pfctl -a goodguys:www -f /etc/anchor-goodguys-www
This loads the rules from the /etc/anchor-goodguys-www file into the named ruleset www in the goodguys anchor.
Filter and translation rules can be loaded into a named ruleset using the same syntax and options as rules loaded into the main ruleset. One caveat, however, is that any macros that are used must also be defined within the named ruleset; macros that are defined in the main ruleset are not visible from named rulesets.
Each named ruleset, as well as the main ruleset, exist separately from the other rulesets. Operations done on one ruleset, such as flushing the rules, do not affect any of the others. In addition, removing an anchor point from the main ruleset does not destroy the anchor or any named rulesets that are attached to that anchor. A named ruleset is not destroyed until it's flushed of all rules using pfctl(8). Once an anchor point has no named rulesets attached to it, it's also destroyed.
ext_if = "fxp0"
block on $ext_if all
pass out on $ext_if all keep state
anchor ssh in on $ext_if proto tcp from any to any port 22
The rules in the anchor ssh are only evaluated for TCP packets destined for port 22 that come in on fxp0. Rules are then added to the anchor like so:
# echo "pass in from 192.0.2.10 to any" | pfctl -a ssh:allowed -f -
So, even though the filter rule doesn't specify an interface, protocol, or port, the host 192.0.2.10 will only be permitted to connect using SSH because of the anchor rule's definition.
To list all the rules in the ruleset allowed attached to the ssh anchor:
# pfctl -a ssh:allowed -s rules
To flush all filter rules from the same ruleset:
# pfctl -a ssh:allowed -F rules
If the ruleset name is omitted, the action applies to all rules in the anchor.
For a full list of commands, please see pfctl(8).
[Previous: Scrub (Packet Normalization)] [Contents] [Next: Packet Queueing and Prioritization]
www@openbsd.org