[Bug 256410] pf: Add pf_default_rules option

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 05 Jun 2021 19:06:13 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256410

Miroslav Lachman <000.fbsd@quip.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |000.fbsd@quip.cz

--- Comment #5 from Miroslav Lachman <000.fbsd@quip.cz> ---
Wouldn't it be better to use pf_check() befor loading ruleset in pf_start() and
then decide if "default" ruleset should be loaded?
Many rc script do check for syntax errors in config files before loading /
running the daemon (Apache, Lighttpd, Nginx...)

If will be useful to run this check before service pf start / reload / restart
commands in general.

Ad if there can be any default rule(s) to load if something failed then it will
be good to have some option to load rules from file not just the one line from
variable too.
On some remote boxes it is better to left SSH (or somethng else) open if
loading of rules failed than block everything.

Something like this comes to my mind:
if check of pf.conf failed
check if /etc/pf.conf.default is a file & try to load it
if pf.conf.default does not exist, use one line rule from pf_default_rules
variable

Of course pf.conf.default can be named differently, or can by
/etc/defaults/pf.conf etc.

-- 
You are receiving this mail because:
You are the assignee for the bug.