I am not using an anchor, I use the following on my workstation:
Code:
table <ftp_sites> {
ftp.openbsd.org
ftp.eu.openbsd.org
anga.funkfeuer.at
ftp.wu-wien.ac.at
ftp.nluug.nl
ftp5.usa.openbsd.org
ftp3.usa.openbsd.org
obsd.cec.mtu.edu
ftp.halifax.rwth-aachen.de
ftp.dk.freebsd.org
}
table <ftp_local> {
192.168.222.0/24
}
# -- sysctls
# net.inet.ip.porthifirst=49152
# net.inet.ip.porthilast=65535
FTPfirst = 49152
#FFTPlast = 65535
# -- outgoing ftp
pass out quick on egress inet proto tcp from egress to <ftp_sites> port ftp label "$nr:$proto:FTP_CMD_OUT"
pass out quick on egress inet proto tcp from egress port >= 1023 to <ftp_sites> port >= $FTPfirst label "$nr:$proto:FTP_DATA_OUT"
# allow local network clients to access ftp server on workstation
pass in quick on egress inet proto tcp from <ftp_local> to egress port ftp label "$nr:$proto:FTP_CMD_IN"
pass in quick on egress inet proto tcp from <ftp_local> port >= 1023 to egress port >= $FTPfirst label "$nr:$proto:FTP_DATA_IN"
IMHO
http://www.openbsd.org/faq/pf/anchors.html explains anchors rather well,
Quote:
Manipulation of anchors is performed via pfctl. It can be used to add and remove rules from an anchor without reloading the main ruleset.
To list all the rules in the anchor named ssh:
Code:
# pfctl -a ssh -s rules
To flush all rules from the same anchor:
Code:
# pfctl -a ssh -F rules
|
The same section also tells you how add rules saved in a file to the anchor:
Quote:
Rules can also be saved and loaded from a text file:
Code:
# cat >> /etc/anchor-goodguys-www
pass in proto tcp from 192.0.2.3 to any port 80
pass in proto tcp from 192.0.2.4 to any port { 80 443 }
# pfctl -a goodguys -f /etc/anchor-goodguys-www
|
So the simplest thing would be to define an empty anchor in your rule set. Create a text file with the ftp rules. Load these into the anchor, when you need them. Flush them from the anchor, when you are done.
Not too difficutl isn't it
Yes, I know, been there too. Sometimes we fail to see the forest, because there are so many trees