From owner-freebsd-pf@FreeBSD.ORG Fri Nov 16 14:31:02 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9562F16A46D for ; Fri, 16 Nov 2007 14:31:02 +0000 (UTC) (envelope-from siseci@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 1225A13C4C5 for ; Fri, 16 Nov 2007 14:31:01 +0000 (UTC) (envelope-from siseci@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so829762nfb for ; Fri, 16 Nov 2007 06:30:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; bh=htJ3LKPKvHYcCulRICWjPeF8wcD8JhNLFyO2CXqSufM=; b=f/vHcozo6imRK2/lpVlxq/RSrYf7gs1To5rHePDQSuDCqYUICcQB2QkadAeWbLU7XsGm4OxuHb10rdQ7OyLNW6dYoHLywwzSSzaHuWPV9cJxc4hgXS6zuQPZAp9yKhFA7AWU7i3H11OFa+kLE2mcecJjLZXFGd/hD5F+qafOLoY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ahCh3qKdwwVwIWXAoMzXh7rppHi0vOJl3JalXcI2m6AvssRzFhCBk1KExefcpvtcTCmSTFTHiYY3zaRHRXotPdNpYbQwT6QM7znhQSWMkWLMqAfwsArsPan0U9gn/eSzmljkCUECdgPfmStUpIxqZ5f9AL9bg1BsDWdghr129XQ= Received: by 10.78.147.6 with SMTP id u6mr2017764hud.1195223457881; Fri, 16 Nov 2007 06:30:57 -0800 (PST) Received: from ?192.168.4.36? ( [193.140.74.2]) by mx.google.com with ESMTPS id z40sm3647207ikz.2007.11.16.06.30.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 16 Nov 2007 06:30:57 -0800 (PST) Message-ID: <473DA979.1080708@gmail.com> Date: Fri, 16 Nov 2007 16:30:17 +0200 From: "N. Ersen SISECI" User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org References: <473D9922.4010207@gmail.com> <20071116141635.GE29432@insomnia.benzedrine.cx> In-Reply-To: <20071116141635.GE29432@insomnia.benzedrine.cx> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Nat Pass and PF Default Rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Nov 2007 14:31:02 -0000 Hi, I wrote some scripts for adding or removing rules to the current ruleset. If there is a syntax error or something is wrong in new rule set, pf will not load rules and default rule will effect the new connections. Default pass rule will pass everything. And sometimes i can not notice this. If the default rule is block, i will notice this situation. Ersen. Daniel Hartmeier yazmış: > On Fri, Nov 16, 2007 at 03:20:34PM +0200, N. Ersen SISECI wrote: > > >> I changed PF's default rule in kernel (pf_ioctl.h). And than i restarted >> my server. >> > > Uh, if you do that you deal with the fallout yourself ;) > > Seriously, there is no reason to do that. Adding a block rule to your > ruleset does the trick of defaulting to blocking. > > Daniel > >