Am 02.01.2019 21:35 schrieb Klemens Nanni:
> Anchor 11 is the twelfth rule in your main ruleset (the anchor rule),
> in which the first rule established this state.
Ouch, overlooked this one. Thanks..
> Provide your ruleset so we can look at actual rules without guessing in
> case your problem persists, `pfctl -a\* -s rules' prints them including
> anchors.
Hmm, still a bit ambigious:
===
@11 anchor "relayd/*" all {
[ Evaluations: 21256227 Packets: 845613 Bytes: 363090876 States:
31 ]
[ Inserted: uid 0 pid 12958 State Creations: 16822 ]
anchor "depa_portal_http" all {
}
anchor "depa_portal_https" all {
}
anchor "rnexus_portal_http" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 80 flags S/SA keep state (tcp.established 600) tag RNEXUS_PORTAL_HTTP
rdr-to <rnexus_portal_http:1> port 60280 round-robin sticky-address
[ Evaluations: 8919094 Packets: 1101 Bytes: 56088 States:
0 ]
[ Inserted: uid 89 pid 29940 State Creations: 162 ]
}
anchor "rnexus_portal_https" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 443 flags S/SA keep state (tcp.established 600) tag
RNEXUS_PORTAL_HTTPS rdr-to <rnexus_portal_https:1> port 60643
round-robin sticky-address
[ Evaluations: 13343728 Packets: 253 Bytes: 57853 States:
0 ]
[ Inserted: uid 89 pid 29940 State Creations: 18 ]
}
anchor "ssfn-imaps" all {
@0 pass in quick on rdomain 0 inet proto tcp from any to public-ip port
= 993 flags S/SA keep state (tcp.established 600) tag SSFN_IMAPS rdr-to
<ssfn-imaps:1> port 993 round-robin sticky-address
[ Evaluations: 169032000 Packets: 4965436 Bytes: 1932456130
States: 22 ]
[ Inserted: uid 89 pid 29940 State Creations: 33036 ]
}
====
So, for every redirect one anchor (as expected/designed) - and each has
a rule 0.
Besides from the ip/port tuple (the state in question was to port 993),
I cannot follow this down
to which relayd-subanchor?
ciao
--
pb
No comments:
Post a Comment