I am currently studying the package filter pfinstalled on my Macbook (OS X Mountain Lion).
One thing that I cannot figure out with is anchors or, more specifically, a specific feature regarding anchors. You can write an anchor in the form anchor "foo/*". Note the asterisk at the end of the binding name. My question is: what does this do?
Here is what the documentation says ( http://www.openbsd.org/faq/pf/anchors.html ):
Since anchors can be nested, you can specify that all child anchors in the specified anchor will be evaluated:
anchor "spam/*"
This syntax causes each rule in every binding attached to the spam anchor to be evaluated. Baby anchors will be evaluated alphabetically, but will not be returned recursively. Anchors are always evaluated relative to the anchor in which they are defined.
As I read this, this means that this binding definition is replaced by all sub-anchors spamin alphabetical order. So, if you spam/foo1and spam/foo2there will be, anchor "spam/*"will be replaced anchor "spam/foo1"and anchor "spam/foo2". Other rules within the anchor spamwill be ignored. But, looking at the default OS X configuration, I should be wrong:
$ pfctl -sr
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all
$ pfctl -a com.apple -sr
anchor "100.InternetSharing/*" all
anchor "200.AirDrop/*" all
anchor "250.ApplicationFirewall/*" all
anchor "300.NetworkLinkConditioner/*" all
So, in my opinion, the conclusion pfctl -srcould also read:
$ pfctl -sr
scrub-anchor "com.apple/*" all fragment reassemble
anchor "100.InternetSharing/*" all
anchor "200.AirDrop/*" all
anchor "250.ApplicationFirewall/*" all
anchor "300.NetworkLinkConditioner/*" all
But if now I look at the ApplicationFirewall rules:
$ pfctl -a com.apple/250.ApplicationFirewall -sr
block drop in inet proto icmp all icmp-type echoreq
block drop in inet6 proto ipv6-icmp all icmp6-type echoreq
, -. , . , , , ping Macbook .
, , . - ? .
!