blob: cc0d2f25d5120bde0c335e18ed42f04386351c68 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
# pf must have these rules in the regress anchor
set ruleset-optimization none
# nothing to pflog N3, will be overridden by later rule
pass log (to $PFLOG_N3) on $LO no state
# everything to pflog N2
match log (to $PFLOG_N2) on $LO no state
# specific test to pflog N1
pass log (to $PFLOG_N1) on $LO inet
pass log (to $PFLOG_N1) on $LO to 169.254.0.1 no state
pass log (to $PFLOG_N1) on $LO to 169.254.0.2 keep state
pass log (all to $PFLOG_N1) on $LO to 169.254.0.3 keep state
pass log (user to $PFLOG_N1) on $LO to 169.254.0.4
pass on $LO to 169.254.0.5
pass log (matches to $PFLOG_N1) on $LO to 169.254.0.6
pass on $LO to 169.254.0.6
# use unique local adresses, link local scope id is broken in pf
pass log (to $PFLOG_N1) on $LO inet6
pass log (to $PFLOG_N1) on $LO to fc00::1 no state
pass log (to $PFLOG_N1) on $LO to fc00::2 keep state
pass log (all to $PFLOG_N1) on $LO to fc00::3 keep state
pass log (user to $PFLOG_N1) on $LO to fc00::4
pass on $LO to fc00::5
pass log (matches to $PFLOG_N1) on $LO to fc00::6
pass on $LO to fc00::6
# we nat on lo-out, log the original packet, generic lo-in logs natted packet
pass out log (to $PFLOG_N1) on $LO to 169.254.0.11 rdr-to 169.254.0.21
pass out log (to $PFLOG_N1) on $LO to 169.254.0.12 nat-to 169.254.0.22
pass out log (to $PFLOG_N1) on $LO to fc00::11 rdr-to fc00::21
pass out log (to $PFLOG_N1) on $LO to fc00::12 nat-to fc00::22
# af-to is for in rule only, IPv4 loopback does not work, use link-local
pass in log (to $PFLOG_N1) on $LO to 169.254.0.14 af-to \
inet6 from fc00::23 to fc00::24
pass in log (to $PFLOG_N1) on $LO to fc00::14 af-to \
inet from 169.254.0.23 to 169.254.0.24
|
