Restaarting PF and its effects on jails and vms
Jon Radel
jon at radel.com
Thu Mar 23 19:46:58 UTC 2017
On 3/23/17 2:29 PM, James B. Byrne via freebsd-questions wrote:
> Since the incoming ports for the blocked traffic appear to be from the
> upper dynamic range I infer that this traffic is related to
> connections established before PF was restarted and are now 'orphaned'
> in consequence. In other words, had the initial connection between
> client anf service been made while PF was already running the traffic
> being blocked following a restart would have been let through as being
> part of an established connection.
If you're depending on state maintenance, and "normal" PF rules pretty
much always would, this is almost certainly precisely the case.
>
> What is the recommended way of dealing with this issue when restarting
> PF, if there is one?
The literal answer to your question is that I don't know of one. A
better question however, is there something more useful to do than
restarting PF? For that, the answer would be:
pfctl -f <rulefile> -F <judicious indication of what to flush because
you just changed it>
I'm confident that you can come up with cases where that doesn't work
out, but if you're making small changes, and avoid flushing the states,
that might well solve your problem. See the pfctl man page.
--
--Jon Radel
jon at radel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3890 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20170323/56c72fa1/attachment.bin>
More information about the freebsd-questions
mailing list