[Bug 226850] [pf] Matching but failed rules block without return
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Mar 23 11:00:27 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850
--- Comment #2 from vegeta at tuxpowered.net ---
I'm sorry but I did not bother to check OpenBSD syntax. Isn't FreeBSD diverted
beyond the point of caring about it anyway?
There are other ways to handle this without changing rule syntax, but then it
would not be tunable per rule:
1. have all "pass" rules always return if they fail
2. add new pf.conf "set" option
3. follow global "set block-policy" option
Option 3 is the least invasive one but is not a solution for my particular
issue - I want the firewall to silently drop packets when there is no matching
rule but be verbose when a rule fails.
I will prepare a patch for solution 2. That would mean no change in rule
syntax, no change in default behaviour and possibility to enable this fix if
anybody finds this to be a bug for them too. To be honest doing it this way
also means I can easily implement it in my environment. The patch I prepared
yesterday would require me to change how rules are generated depending on
FreeBSD release and kernel patch level. Single change in pf.conf is way easier
to do as I create the resulting pf.conf from multiple files coming from
different sources.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list