Date: Fri, 16 Nov 2007 15:49:38 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: "N. Ersen SISECI" <siseci@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Nat Pass and PF Default Rule Message-ID: <20071116144938.GF29432@insomnia.benzedrine.cx> In-Reply-To: <473DA979.1080708@gmail.com> References: <473D9922.4010207@gmail.com> <20071116141635.GE29432@insomnia.benzedrine.cx> <473DA979.1080708@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 16, 2007 at 04:30:17PM +0200, N. Ersen SISECI wrote: > I wrote some scripts for adding or removing rules to the current ruleset. > If there is a syntax error or something is wrong in new rule set, pf > will not load rules and default rule > will effect the new connections. Default pass rule will pass everything. > And sometimes i can not notice this. If the default rule is block, i > will notice this situation. No, if loading the ruleset fails, the previous ruleset will remain active. It won't fall back to the empty ruleset. That is, unless you superfluously use -F, too (don't!). Changing the default rule breaks more things than you imagine. It's used for various things (like assignment of pfsync'd states). The breakage will be broad and subtle, I'd advise against it ;) Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071116144938.GF29432>