Исправление iZEN, (текущая версия) :
man pf.conf
tag <string>
Packets matching this rule will be tagged with the specified
string. The tag acts as an internal marker that can be used to
identify these packets later on. This can be used, for example, to
provide trust between interfaces and to determine if packets have
been processed by translation rules. Tags are "sticky", meaning
that the packet will be tagged even if the rule is not the last
matching rule. Further matching rules can replace the tag with a
new one but will not remove a previously applied tag. A packet is
only ever assigned one tag at a time. Packet tagging can be done
during nat, rdr, or binat rules in addition to filter rules. Tags
take the same macros as labels (see above).
tagged <string>
Used with filter, translation or scrub rules to specify that pack-
ets must already be tagged with the given tag in order to match the
rule. Inverse tag matching can also be done by specifying the !
operator before the tagged keyword. # Packet Tagging
# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is
# being done on $ext_if for all outgoing packets. tag packets in on
# $int_if and pass those tagged packets out on $ext_if. all other
# outgoing packets (i.e., packets from the wireless network) are only
# permitted to access port 80.
pass in on $int_if from any to any tag INTNET
pass in on $wifi_if from any to any
block out on $ext_if from any to any
pass out quick on $ext_if tagged INTNET
pass out on $ext_if proto tcp from any to any port 80
# tag incoming packets as they are redirected to spamd(8). use the tag
# to pass those packets through the packet filter.
rdr on $ext_if inet proto tcp from <spammers> to port smtp \
tag SPAMD -> 127.0.0.1 port spamd
block in on $ext_if
pass in on $ext_if inet proto tcp tagged SPAMDИсходная версия iZEN, :
man pf.conf
tag <string>
Packets matching this rule will be tagged with the specified
string. The tag acts as an internal marker that can be used to
identify these packets later on. This can be used, for example, to
provide trust between interfaces and to determine if packets have
been processed by translation rules. Tags are "sticky", meaning
that the packet will be tagged even if the rule is not the last
matching rule. Further matching rules can replace the tag with a
new one but will not remove a previously applied tag. A packet is
only ever assigned one tag at a time. Packet tagging can be done
during nat, rdr, or binat rules in addition to filter rules. Tags
take the same macros as labels (see above).
tagged <string>
Used with filter, translation or scrub rules to specify that pack-
ets must already be tagged with the given tag in order to match the
rule. Inverse tag matching can also be done by specifying the !
operator before the tagged keyword.# Packet Tagging
# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is
# being done on $ext_if for all outgoing packets. tag packets in on
# $int_if and pass those tagged packets out on $ext_if. all other
# outgoing packets (i.e., packets from the wireless network) are only
# permitted to access port 80.
pass in on $int_if from any to any tag INTNET
pass in on $wifi_if from any to any
block out on $ext_if from any to any
pass out quick on $ext_if tagged INTNET
pass out on $ext_if proto tcp from any to any port 80
# tag incoming packets as they are redirected to spamd(8). use the tag
# to pass those packets through the packet filter.
rdr on $ext_if inet proto tcp from <spammers> to port smtp \
tag SPAMD -> 127.0.0.1 port spamd
block in on $ext_if
pass in on $ext_if inet proto tcp tagged SPAMD