Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Mar 2017 12:16:06 +0300
From:      Odhiambo Washington <odhiambo@gmail.com>
To:        Arthur Chance <freebsd@qeng-ho.org>
Cc:        "James B. Byrne" <byrnejb@harte-lyne.ca>, User Questions <freebsd-questions@freebsd.org>
Subject:   Re: Restaarting PF and its effects on jails and vms
Message-ID:  <CAAdA2WMudfmePPrHCOY8XcgCvDn-r78Ono-vrX_RdYn37nJMqw@mail.gmail.com>
In-Reply-To: <f208af7c-1427-ea5e-e849-3f9055d56838@qeng-ho.org>
References:  <d8c45fd2a689b07df63082aa04e036e7.squirrel@webmail.harte-lyne.ca> <f208af7c-1427-ea5e-e849-3f9055d56838@qeng-ho.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 24 March 2017 at 11:20, Arthur Chance <freebsd@qeng-ho.org> wrote:

> On 23/03/2017 18:29, James B. Byrne via freebsd-questions wrote:
> > I am revising the pf configuration for the FreeBSD-10.3 host of a
> > number of FreeBSD-11.0 BHyve instances. When I restart PF on the host
> > then traffic to a number of guests gets blocked even though the
> > ruleset says it should not be.
> >
> > Since the incoming ports for the blocked traffic appear to be from the
> > upper dynamic range I infer that this traffic is related to
> > connections established before PF was restarted and are now 'orphaned'
> > in consequence.  In other words, had the initial connection between
> > client anf service been made while PF was already running the traffic
> > being blocked following a restart would have been let through as being
> > part of an established connection.
> >
> > What is the recommended way of dealing with this issue when restarting
> > PF, if there is one?
>
> Don't restart pf, reload it. "service pf reload" goes to great lengths
> not to interfere with existing connections whereas "service pf restart"
> blows away everything before restarting.
>
> This is fresh in my mind because I made exactly the same mistake last
> week before remembering to reload. :-)
>

A quick one, before I get to RTFM, is there an equivalent 'reload' option
for pfctl (9.3-STABLE)?

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WMudfmePPrHCOY8XcgCvDn-r78Ono-vrX_RdYn37nJMqw>