The changes was not done to /etc/pf.conf file but it is on runtime. I'm issues pfctl -sr command which reflect this.
On Tue, Jul 28, 2015 at 5:35 PM, Stefan Wollny <ste...@wollny.de> wrote: > Hi, > > I can't tell you anything what might have happend as you didn't provide > enough information and I am not educated to give any hints. But to prevent > any changes you might consider using "chflags" after you have set up your > pf.conf: > > $ sudo chflags schg /etc/pf.conf > > Keep in mind that changes thereafter are only possible if you reboot into > insecure mode. man 1 chflags is your friend. > > If this doesn't help it is beyond my knowledge. > > Good luck! > STEFAN > > > *Gesendet:* Dienstag, 28. Juli 2015 um 11:17 Uhr > *Von:* "Wong Peter" <peterap...@gmail.com> > *An:* misc@openbsd.org > *Betreff:* OpenBSD machine was hacked > Dear All, > > Recently, I'm realized that my openbsd firewall router was not usable > anymore due to pf rules had changed by using carp and pfsync mechanism. > > Here is my prove. > > I'm tried to reinstall the whole machine and plugged in the modem LAN cable > to NIC card. All my written pf rules was flush and changed. This happen > even without internet connection(No IP address assign). > > I'm suspected this is did by my ISP. I'm believed my openbsd machine was > located same subnet with their machine. > > I'm even tried to disable carp protocol but my pf rules still get flushed > out. > How this can happen? > How to prevent it? > How my ISP can synchronize its pf rules to my machine without IP assign? > I'm suspect they achieved at Layer 2 by using mac spoofing/mac target to my > machine. > net.inet.carp.allow=0 > > Please help. Very urgent. > > > > > > > -- > Linux > > -- Linux
