In some networks, the decision of where a packet should be allowed to pass cannot be made to map easily to criteria like subnet and service. The fine-grained control the site’s policy demands could make the rule set complicated and potentially hard to maintain.
Fortunately, PF offers yet another mechanism for classification and filtering in the form of packet tagging. The useful way to implement packet tagging is to tag
incoming packets that match a specific pass
rule, and then let the packets pass elsewhere based on which identifiers the packet is tagged with. In OpenBSD 4.6 and later, it is even possible to have separate match
rules that tag according to the match criteria, leaving decisions on passing, redirecting, or taking other actions to rules later in the rule set.
One example could be the wireless access points we set up in Chapter 4, which we could reasonably expect to inject traffic into the local network with an apparent source address equal to the access point’s $ext_if
address. In that scenario, a useful addition to the rule set of a gateway with several of these access points might be the following (assuming, of course, that definitions of the wifi_allowed
and wifi_ports
macros fit the site’s requirements).
wifi = "{ 10.0.0.115, 10.0.0.125, 10.0.0.135, 10.0.0.145 }" pass in on $int_if from $wifi to $wifi_allowed port $wifi_ports tag wifigood pass out on $ext_if tagged wifigood
As the complexity of rule set grows, consider using tag
in incoming match
and pass
rules to make your rule set readable and easier to maintain.
Tags are sticky, and once a packet has been tagged by a matching rule, the tag stays, which means that a packet can have a tag even if it was not applied by the last matching rule. However, a packet can have only one tag at any time. If a packet matches several rules that apply tags, the tag will be overwritten with a new one by each new matching tag
rule.
For example, you could set several tags on incoming traffic via a set of match
or pass
rules, supplemented by a set of pass
rules that determine where packets pass out based on the tags set on the incoming traffic.
3.135.249.220