From owner-freebsd-pf@FreeBSD.ORG  Fri Nov 16 14:49:38 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D2D6316A417
	for <freebsd-pf@freebsd.org>; Fri, 16 Nov 2007 14:49:38 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx
	[IPv6:2001:6f8:1098::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 7457513C468
	for <freebsd-pf@freebsd.org>; Fri, 16 Nov 2007 14:49:38 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1])
	by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id lAGEncsB029274
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Fri, 16 Nov 2007 15:49:38 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id lAGEncQd012730;
	Fri, 16 Nov 2007 15:49:38 +0100 (MET)
Date: Fri, 16 Nov 2007 15:49:38 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: "N. Ersen SISECI" <siseci@gmail.com>
Message-ID: <20071116144938.GF29432@insomnia.benzedrine.cx>
References: <473D9922.4010207@gmail.com>
	<20071116141635.GE29432@insomnia.benzedrine.cx>
	<473DA979.1080708@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <473DA979.1080708@gmail.com>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-pf@freebsd.org
Subject: Re: Nat Pass and PF Default Rule
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Nov 2007 14:49:38 -0000

On Fri, Nov 16, 2007 at 04:30:17PM +0200, N. Ersen SISECI wrote:

> I wrote some scripts for adding or removing rules to the current ruleset.
> If there is a syntax error or something is wrong in new rule set, pf
> will not load rules and default rule
> will effect the new connections. Default pass rule will pass everything.
> And sometimes i can not notice this. If the default rule is block, i
> will notice this situation.

No, if loading the ruleset fails, the previous ruleset will remain
active. It won't fall back to the empty ruleset. That is, unless you
superfluously use -F, too (don't!).

Changing the default rule breaks more things than you imagine. It's used
for various things (like assignment of pfsync'd states). The breakage
will be broad and subtle, I'd advise against it ;)

Daniel