OpenBSD PF: Anchors

OpenBSD PF - Anchors [Contents]

Introduction
Anchors
Anchor Options
Manipulating Anchors

Introduction

In addition to the main ruleset, PF can also evaluate sub-rulesets. Since sub-rulesets can be manipulated on the fly by using pfctl(8), they provide a convenient way of dynamically altering an active ruleset. Whereas a table is used to hold a dynamic list of addresses, a sub-ruleset is used to hold a dynamic set of rules. A sub-ruleset is attached to the main ruleset by using an anchor.

Anchors can be nested, which allows for sub-rulesets to be chained together. Anchor rules will be evaluated relative to the anchor in which they are loaded. For example, anchor rules in the main ruleset will create anchor attachment points with the main ruleset as their parent, and anchor rules loaded from files with the load anchor directive will create anchor points with that anchor as their parent.

Anchors

An anchor is a collection of rules, tables and other anchors that has been assigned a name. When PF comes across an anchor rule in the main ruleset, it will evaluate the rules contained within the anchor point as it evaluates rules in the main ruleset. Processing will then continue in the main ruleset unless the packet matches a filter rule that uses the quick option, in which case the match will be considered final and will abort the evaluation of rules in both the anchor and the main rulesets.

For example:

block on     egress
pass  out on egress

anchor goodguys

This ruleset sets a default deny policy on the egress interface for incoming and outgoing traffic, which is then statefully passed out, and an anchor rule is created named goodguys. Anchors can be populated with rules by three methods:

using a load rule
using pfctl(8)
specifying the rules inline of the main ruleset

The load rule causes pfctl to populate the specified anchor by reading rules from a text file. The load rule must be placed after the anchor rule.

For example:

anchor goodguys
load anchor goodguys from "/etc/anchor-goodguys-ssh"

To add rules to an anchor using pfctl, the following type of command can be used:

# echo "pass in proto tcp from 192.0.2.3 to any port 22" | pfctl -a goodguys -f -

Rules can also be saved to (and loaded from) a text file. For example, the following two lines could be appended to the /etc/anchor-goodguys-www file:

pass in proto tcp from 192.0.2.3 to any port 80
pass in proto tcp from 192.0.2.4 to any port { 80 443 }

Then applied with:

# pfctl -a goodguys -f /etc/anchor-goodguys-www

To load rules directly from the main ruleset, enclose the anchor rules in a brace-delimited block:

anchor "goodguys" {
        pass in proto tcp from 192.168.2.3 to port 22
}

Inline anchors can also contain more anchors.

allow = "{ 192.0.2.3 192.0.2.4 }"

anchor "goodguys" {
  anchor {
       pass in proto tcp from 192.0.2.3 to port 80
  }
  pass in proto tcp from $allow to port 22
}

With inline anchors, the name of the anchor becomes optional. Note how the nested anchor in the above example does not have a name. The macro $allow is created outside of the anchor (in the main ruleset) and is then used within the anchor.

Rules can be loaded into an anchor using the same syntax and options as rules loaded into the main ruleset. One caveat is that, unless inline anchors are being used, any macros that are used must also be defined within the anchor itself. Macros that are defined in the parent ruleset are not visible from the anchor.

Since anchors can be nested, it's possible to specify that all child anchors within a specified anchor be evaluated:

anchor "spam/*"

This syntax causes each rule within each anchor attached to the spam anchor to be evaluated. The child anchors will be evaluated in alphabetical order but are not descended into recursively. Anchors are always evaluated relative to the anchor in which they're defined.

Each anchor, as well as the main ruleset, exists separately from the other rulesets. Operations done on one ruleset, such as flushing the rules, do not affect any of the others. In addition, removing an anchor point from the main ruleset does not destroy the anchor or any child anchors that are attached to that anchor. An anchor is not destroyed until it's flushed of all rules using pfctl(8) and there are no child anchors within the anchor.

Anchor Options

Optionally, anchor rules can specify interface, protocol, source and destination address, tag, etc, using the same syntax as other rules. When such information is given, anchor rules are only processed if the packet matches the anchor rule's definition.

For example:

block          on egress
pass       out on egress
anchor ssh in  on egress proto tcp to port 22

The rules in the anchor ssh are only evaluated for TCP packets destined for port 22 that come in on the egress interface. Rules are then added to the anchor like so:

# echo "pass in from 192.0.2.10 to any" | pfctl -a ssh -f -

So, even though the filter rule doesn't specify an interface, protocol or port, the host 192.0.2.10 will only be permitted to connect using SSH because of the anchor rule's definition.

The same syntax can be applied to inline anchors.

allow = "{ 192.0.2.3 192.0.2.4 }"
anchor "goodguys" in proto tcp {
   anchor proto tcp to port 80 {
      pass from 192.0.2.3
   }
   anchor proto tcp to port 22 {
      pass from $allow
   }
}

Manipulating Anchors

Manipulation of anchors is performed via pfctl(8). It can be used to add and remove rules from an anchor without reloading the main ruleset.

To list all the rules in the anchor named ssh:

# pfctl -a ssh -s rules

To flush all rules from the same anchor:

# pfctl -a ssh -F rules

For a full list of commands, please see pfctl(8). ��Yes, sir. I felt sure you understood that. She said she had told you.�� "Why, eh,--I--I don't know that my movements need have anything to do with his. Yours, of course,--" "Ah, but if it saved your life!" "No, I'm not," grumbled the Doctor, "I've had enough of this wild-goose chase. And besides, it's nearly dinner time." "I am coming to that," Lawrence said, lighting a fresh cigarette. "As soon as Bruce was in trouble and the plot began to reel off I saw that it was mine. Of course there were large varyings in the details, but the scheme was mine. It was even laid on the same spot as my skeleton story. When I grasped that, I knew quite well that somebody must have stolen my plot." Judy In a coach-house, through which we passed on our way to see the prince's favourite horses with the state carriages��quite commonplace and comfortable, and made at Palitana��was a chigram,[Pg 68] off which its silk cover was lifted; it was painted bright red and spangled with twinkling copper nails. This carriage, which is hermetically closed when the Ranee goes out in it, was lined with cloth-of-gold patterned with Gohel Sheri's initials within a horseshoe: a little hand-glass on one of the cushions, two boxes of chased silver, the curtains and hangings redolent of otto of roses. "Are you certain of it? You have seen so very little of him, and you may be mistaken." "And your wife?" "I drawed on my man's bundle o' wood," said Gid, "and then dropped a little, so's to git him where he was biggest and make sure o' him." HoME ��Ұ��Ƶ ENTER NUMBET 0016www.kygyrg.com.cn
www.ldedu.org.cn
www.jjhgames.com.cn
www.krdxnp.com.cn
www.hx2025.com.cn
www.halujie.com.cn
www.sfywyt.com.cn
www.onfboz.com.cn
shuyi726.com.cn
uohrdx.com.cn