Date: Fri, 25 Mar 2005 01:22:53 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org, jon@abccomm.com Subject: Re: Isn't there a way to parse, don't load rules and complain about syntax errors or missing variables ? Message-ID: <200503250123.01060.max@love2party.net> In-Reply-To: <8eea04080503241516211d5aea@mail.gmail.com> References: <787dcac20503241448430a7de2@mail.gmail.com> <8eea04080503241516211d5aea@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2524232.sBkiDuRPJc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 25 March 2005 00:16, Jon Simola wrote: > On Thu, 24 Mar 2005 16:48:48 -0600, BB <brent.bolin@gmail.com> wrote: > > However when I looked at the configuration file again the scrub rule > > had the explicate interface name fxp0 > > > > This new box doesn't have fxp0 > > It will probably make sense if you think that some interfaces like > vlan and tun are created and destroyed. You probably don't want to > reload your firewall config everytime you bring up a PPP link. That's part of the reasoning. Also you usually want to have rules to block= =20 PPP traffic *before* you bring up the link etc. ... in the end it's=20 hard^Wimpossible to satisfy everybody. As for "detecting" this kind of=20 foot-shooting, you can do a "$pfctl -vsI | grep placeholder" after you load= ed=20 the ruleset. Something that should probably go to a TBD "Debugging PF - be= st=20 pratices" article in our doc tree. Any takers :-) > ipfw has the same feature. Not quite. IPFW just does pattern matching on the interface name, somethin= g=20 that is even more nasty and can be a lot of fun when you have vlan1 and=20 vlan11. But that just as a sidenote. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2524232.sBkiDuRPJc Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCQ1nkXyyEoT62BG0RArFSAJ4xCSLncAgpN8mwbdz/p+b/i0JatACdFcF2 cfyfuFi620+NwJ6gWe3zqKA= =1Vre -----END PGP SIGNATURE----- --nextPart2524232.sBkiDuRPJc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503250123.01060.max>