I would be very interested in seeing the ruleset, that is buggy with
optimization enabled, and not if it is not. If nothing else other than
so I won't use that type of configuration.
I am using multiple anchors, with a reasonably large ruleset on my
systems, and have not seen this type of issue.
RG
On 07/22/2013 03:41 PM, Philip Jungnickel wrote:
Synopsis: Problem reading pf.conf with pfctl and no -o level specified
Category: pfctl
Environment:
System : OpenBSD 5.3
Details : OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20
MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
Description:
The System is used as firewall and a configuration is stored in
/etc/pf.conf with multiple rules and anchors.
There is no problem with the configuration and the rules, if
you use the following command to read in the config file, work fine:
pfctl -o none -f /etc/pf.conf .
But if you use the command without -o option, the pfctl tool
uses optimization by default und then ends up in a not working ruleset,
whereat no error message is printed. The command reports no error when
used in the shell, but the pakets do not pass the firewall as expected.
How-To-Repeat:
Use a working pf.conf with rules and anchors, which pfctl can
likely optimize.
Run "pfctl -o none -f /.../pf.conf" and check rules for
functionality. Everything works fine.
pfctl -a "anchor" -s Tables shows no automaticly created tables.
Run "pfctl -f /.../pf.conf" and check rules for functionality.
Rules does not work.
pfctl -a "anchor" -s Tables shows an automaticly created table
(__automatic_d8dd09cb_0) where before multiple single rules for every ip
had been shown.