From owner-freebsd-questions@freebsd.org Thu Mar 23 18:29:45 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 498F1D1AE87 for ; Thu, 23 Mar 2017 18:29:45 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca [216.185.71.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "inet08.hamilton.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 21AE217BE for ; Thu, 23 Mar 2017 18:29:44 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 58AA1623AF for ; Thu, 23 Mar 2017 14:29:37 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsOVw4RvLR99 for ; Thu, 23 Mar 2017 14:29:36 -0400 (EDT) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id CF85A60FAB for ; Thu, 23 Mar 2017 14:29:35 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca; s=dkim_hll; t=1490293775; bh=fJt6TkQiXWJPDUP3xJ8dwnJK3secryxryLrsbKPdDQ0=; h=Date:Subject:From:To:Reply-To; b=IFbSy5zcyhi+eaaqGKRjONfJJPD3h0UpDGAZRjgLTYPISHZngeQUEpRT15QfHEZd2 HpvoG5Ze2VBMCx8QUchUH3TsUPgvb5ZtlZ8OL1JtJIAQ8FereD6kQAgbCm5sFMYSuI Ue+mMFInynX24FVSwylAS3RzWGklPVg627HIhsNYKplOGDBO8Wa+j1JYJxHgDg1tkp cVA3JoHyoFrvziajAanZY0lXIqg+Mbr5v7JQSqsXhxPzKFRoxa8ECp0IMiux3Gf2f0 V1fRpnxdfUarCS1rAkfDkbKDESX5/wB8qKbxWslKqNGQkQHSYf1JxIdG2AsgixX5/k 3VOLEzZF63Osg== Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Thu, 23 Mar 2017 14:29:35 -0400 Message-ID: Date: Thu, 23 Mar 2017 14:29:35 -0400 Subject: Restaarting PF and its effects on jails and vms From: "James B. Byrne" To: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-4.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Mar 2017 18:29:45 -0000 I am revising the pf configuration for the FreeBSD-10.3 host of a number of FreeBSD-11.0 BHyve instances. When I restart PF on the host then traffic to a number of guests gets blocked even though the ruleset says it should not be. Since the incoming ports for the blocked traffic appear to be from the upper dynamic range I infer that this traffic is related to connections established before PF was restarted and are now 'orphaned' in consequence. In other words, had the initial connection between client anf service been made while PF was already running the traffic being blocked following a restart would have been let through as being part of an established connection. What is the recommended way of dealing with this issue when restarting PF, if there is one? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3