http://bbs3.chinaunix.net/thread-1522657-1-1.html 原贴出处

非常感谢   congli

已测试成功,原来nat-anchor, rdr-anchor 用法跟普通anchor一样, 只是用的位置有限制,跟我当初的想法一样,就是试不出来, 可是今天一试,竟然全都OK了
大致把试验过程记录一下,看过PF的网友应该一眼就看明白了

回到第一贴对比了一下之前写的规则

echo "pass in on xl0 inet proto tcp from any to 192.168.0.23 "|pfctl -a "myanchor/new_rules" -f

不同之处在于 myanchor/new_rules ==>> myanchor:new_rules 将 / 号换成 :号就可以了

以rdr-anchor为例简单备注
设置一个 rdr-anchor relayd/*

[Copy to clipboard] [ - ]CODE:添加规则

sudo sh -c 'echo "rdr on xl0 inet proto tcp from any to any port 80 -> 192.168.0.115 port 8080"|pfctl -a relayd:web -f -'


[Copy to clipboard] [ - ]CODE:显示所有的anchor

$ sudo pfctl -sA
   goodguys
   myanchor
   nat_anchor
   relayd
   relayd:web <<--------- 新增加的web端口转发
查看刚才添加的   relayd:web 规则

[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "relayd:web" -sn
rdr on xl0 inet proto tcp from any to any port = http -> 192.168.0.115 port 8080


[Copy to clipboard] [ - ]CODE:执行清除 relayd:web 规则的操作

[bsd@bsd ] $ sudo pfctl -a "relayd:web" -F nat
nat cleared <<--- 已提示清除成功

查找是否清除
[bsd@bsd ] $ sudo pfctl -sA
   goodguys
   myanchor
   nat_anchor
   relayd
=================================================
设置 nat-anchor nat_anchor/*

[Copy to clipboard] [ - ]CODE:sudo sh -c 'echo "nat on xl0 from 192.168.0.23   to any -> xl0 "|pfctl -a nat_anchor:tt -f -'


[Copy to clipboard] [ - ]CODE:sudo pfctl -sA
   goodguys
   myanchor
   nat_anchor
   nat_anchor:tt
   relayd


[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "nat_anchor:tt" -sn
nat on xl0 inet from 192.168.0.23 to any -> { 192.168.1.222, 192.168.1.112, 192.168.1.113, 192.168.1.114, 192.168.1.115 } round-robin


[Copy to clipboard] [ - ]CODE:[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -F n
nat cleared
[bsd@bsd ~] $ sudo pfctl -a "nat_anchor:tt" -sn
pfctl: DIOCGETRULES: Invalid argument
[bsd@bsd ~] $ sudo pfctl -sA
   goodguys
   myanchor
   nat_anchor
   relayd
===============================================


设置 anchor   myanchor

[Copy to clipboard] [ - ]CODE:$ sudo sh -c 'echo "pass in quick on xl0 from any to any "|pfctl -a myanchor:tt -f -'
[code]

[code]
$ sudo pfctl -sA
   goodguys
   myanchor
   myanchor:tt
   nat_anchor
   relayd


[Copy to clipboard] [ - ]CODE:$ sudo pfctl -a "myanchor:tt" -sr
pass in quick on xl0 all flags S/SA keep state


===========================
/ 跟 : 的用法应该有点不一样.
在使用authpf时候,要查看某个用户载入规则,就得用下面形式:
# pfctl -a "authpf/hsw(19490)" -s r
# pfctl -sA
   authpf