Date: Fri, 24 Mar 2017 12:27:06 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: Arthur Chance <freebsd@qeng-ho.org> Cc: "James B. Byrne" <byrnejb@harte-lyne.ca>, User Questions <freebsd-questions@freebsd.org> Subject: Re: Restaarting PF and its effects on jails and vms Message-ID: <CAAdA2WMhDHYM2=u9GWFzhB7A00c2nO%2B0uE0iZ0mrnNEQFm7qtQ@mail.gmail.com> In-Reply-To: <2ba51e04-6065-b21a-367f-1137ab22d2bc@qeng-ho.org> References: <d8c45fd2a689b07df63082aa04e036e7.squirrel@webmail.harte-lyne.ca> <f208af7c-1427-ea5e-e849-3f9055d56838@qeng-ho.org> <CAAdA2WMudfmePPrHCOY8XcgCvDn-r78Ono-vrX_RdYn37nJMqw@mail.gmail.com> <2ba51e04-6065-b21a-367f-1137ab22d2bc@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 March 2017 at 12:22, Arthur Chance <freebsd@qeng-ho.org> wrote:
> On 24/03/2017 09:16, Odhiambo Washington wrote:
> > On 24 March 2017 at 11:20, Arthur Chance <freebsd@qeng-ho.org> wrote:
> >
> >> On 23/03/2017 18:29, James B. Byrne via freebsd-questions wrote:
> >>> I am revising the pf configuration for the FreeBSD-10.3 host of a
> >>> number of FreeBSD-11.0 BHyve instances. When I restart PF on the host
> >>> then traffic to a number of guests gets blocked even though the
> >>> ruleset says it should not be.
> >>>
> >>> Since the incoming ports for the blocked traffic appear to be from the
> >>> upper dynamic range I infer that this traffic is related to
> >>> connections established before PF was restarted and are now 'orphaned'
> >>> in consequence. In other words, had the initial connection between
> >>> client anf service been made while PF was already running the traffic
> >>> being blocked following a restart would have been let through as being
> >>> part of an established connection.
> >>>
> >>> What is the recommended way of dealing with this issue when restarting
> >>> PF, if there is one?
> >>
> >> Don't restart pf, reload it. "service pf reload" goes to great lengths
> >> not to interfere with existing connections whereas "service pf restart"
> >> blows away everything before restarting.
> >>
> >> This is fresh in my mind because I made exactly the same mistake last
> >> week before remembering to reload. :-)
> >>
> >
> > A quick one, before I get to RTFM, is there an equivalent 'reload' option
> > for pfctl (9.3-STABLE)?
> >
>
> It's all pfctl. By using service(8) I was referring to the rc.d script
> for pf, but that sits over pfctl. The reload part is (on 10.3)
>
> pf_reload()
> {
> echo "Reloading pf rules."
> $pf_program -n -f "$pf_rules" || return 1
> # Flush everything but existing state entries that way when
> # rules are read in, it doesn't break established connections.
> $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables
> -Fosfp > /dev/null 2>&1
> $pf_program -f "$pf_rules" $pf_flags
> }
>
> Apologies if my mailer breaks the long line.
>
Perfect!
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WMhDHYM2=u9GWFzhB7A00c2nO%2B0uE0iZ0mrnNEQFm7qtQ>