Date: Sat, 05 Jun 2021 19:06:13 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 256410] pf: Add pf_default_rules option Message-ID: <bug-256410-16861-qVIJoMbXa6@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-256410-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-256410-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256410 Miroslav Lachman <000.fbsd@quip.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |000.fbsd@quip.cz --- Comment #5 from Miroslav Lachman <000.fbsd@quip.cz> --- Wouldn't it be better to use pf_check() befor loading ruleset in pf_start()= and then decide if "default" ruleset should be loaded? Many rc script do check for syntax errors in config files before loading / running the daemon (Apache, Lighttpd, Nginx...) If will be useful to run this check before service pf start / reload / rest= art commands in general. Ad if there can be any default rule(s) to load if something failed then it = will be good to have some option to load rules from file not just the one line f= rom variable too. On some remote boxes it is better to left SSH (or somethng else) open if loading of rules failed than block everything. Something like this comes to my mind: if check of pf.conf failed check if /etc/pf.conf.default is a file & try to load it if pf.conf.default does not exist, use one line rule from pf_default_rules variable Of course pf.conf.default can be named differently, or can by /etc/defaults/pf.conf etc. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256410-16861-qVIJoMbXa6>