What is the difference between these anchor rules

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

What is the difference between these anchor rules

Carlos Lopez
Hi all,

I am trying to accomplish several different tests using anchors rules under an OpenBSD 6.6 host. But I am seeing a strange behavior depending how I configure them. For example:

This rule works:

anchor inet from $laptop_admin label "Allow access from $srcaddr via SSH" {
        anchor proto tcp to port ssh {
                pass in to (self)
                pass in to { $dmz_network $vpn_network  } tag intlans-to-intlans
        }
}

But this one never matches:

anchor inet from $laptop_admin label "Allow access from $srcaddr via http/https services" {
      anchor proto tcp to port { http https } {
               pass in $hots2 tag intlans-to-intlans
       }
}

I have tried inserting “quick” keyword in second rule, but nothing … Maybe am I doing some mistake? Rules that works goes before than the other that fails … Changing order, it doesn’t matter …

Any tip?
--
Regards,
C. L. Martinez
Reply | Threaded
Open this post in threaded view
|

Re: What is the difference between these anchor rules

Edgar Pettijohn III-2
On Mar 16, 2020 11:07 AM, Carlos Lopez <[hidden email]> wrote:

  Hi all,

  I am trying to accomplish several different tests using anchors rules
  under an OpenBSD 6.6 host. But I am seeing a strange behavior
  depending how I configure them. For example:

  This rule works:

  anchor inet from $laptop_admin label "Allow access from $srcaddr via
  SSH" {
  anchor proto tcp to port ssh {
  pass in to (self)
  pass in to { $dmz_network $vpn_network  } tag intlans-to-intlans
  }
  }

  But this one never matches:

  anchor inet from $laptop_admin label "Allow access from $srcaddr via
  http/https services" {
  anchor proto tcp to port { http https } {
  pass in $hots2 tag intlans-to-intlans
  }
  }


Is hots2 a typo in the  mail or the conf also? Or maybe it's not a typo.
Edgar


  I have tried inserting “quick” keyword in second rule, but
  nothing … Maybe am I doing some mistake? Rules that works goes
  before than the other that fails … Changing order, it doesn’t
  matter …

  Any tip?
  --
  Regards,
  C. L. Martinez
Reply | Threaded
Open this post in threaded view
|

Re: What is the difference between these anchor rules

Carlos Lopez
Thanks Edgar … Nop, it is not a typo 😊

--
Regards,
C. L. Martinez

From: "[hidden email]" <[hidden email]>
Date: Monday, 16 March 2020 at 17:16
To: Carlos Lopez <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Subject: Re: What is the difference between these anchor rules



On Mar 16, 2020 11:07 AM, Carlos Lopez <[hidden email]> wrote:

Hi all,

I am trying to accomplish several different tests using anchors rules under an OpenBSD 6.6 host. But I am seeing a strange behavior depending how I configure them. For example:

This rule works:

anchor inet from $laptop_admin label "Allow access from $srcaddr via SSH" {
        anchor proto tcp to port ssh {
                pass in to (self)
                pass in to { $dmz_network $vpn_network  } tag intlans-to-intlans
        }
}

But this one never matches:

anchor inet from $laptop_admin label "Allow access from $srcaddr via http/https services" {
      anchor proto tcp to port { http https } {
               pass in $hots2 tag intlans-to-intlans
       }
}

Is hots2 a typo in the  mail or the conf also? Or maybe it's not a typo.

Edgar

I have tried inserting “quick” keyword in second rule, but nothing … Maybe am I doing some mistake? Rules that works goes before than the other that fails … Changing order, it doesn’t matter …

Any tip?
--
Regards,
C. L. Martinez