> Hi,
>
> How does one use the overload state option inside an anchor?
>
> I'm running -current (7th november snapshot) 64bit, sample pf
> configurations follow with two different configuration attempts.
> Both print the following warning:
>
> pfctl: warning: namespace collision with <bruteforce> global table.
>
>
> sample pf configurations below:
>
> table <bruteforce>
> icmp_types = "{ echoreq, unreach }"
> ext_if=""
> int_if="{ em1 em2 em3 }"
> int_networks="{ em1:network, em2:network, em3:network }"
> v6broker=""
> v6resolver=""
> mediacenter=""
> set skip on lo
> set loginterface egress
> block drop in all
> antispoof quick for (egress)
>
> match proto { udp tcp } to port { domain ntp } set prio 6
> match proto tcp to port ssh set prio 6
> match in all scrub (no-df max-mss 1440)
> anchor "inet" on $ext_if {
> block quick from <bruteforce>
> block all
> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
> pass inet proto icmp all icmp-type $icmp_types tag GOOD
> pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
> $mediacenter tag GOOD
> pass in inet proto tcp from any to any port {80,443} tag GOOD
> pass in inet proto tcp from any to any port 22 keep state (max-src-conn
> 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
> pass out from (self) to any tag GOOD
> pass out inet from $int_networks to any nat-to (egress) tag GOOD
> match out inet from $int_networks to any nat-to (egress) tag GOOD
> pass out inet6 from em2:network to any tag GOOD
> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
> GOOD
> block quick inet ! tagged GOOD
> }
>
> # > pfctl -f /etc/pf.conf
> pfctl: warning: namespace collision with <bruteforce> global table.
>
>
>
>
> table <bruteforce>
> icmp_types = "{ echoreq, unreach }"
> ext_if=""
> int_if="{ em1 em2 em3 }"
> int_networks="{ em1:network, em2:network, em3:network }"
> v6broker=""
> v6resolver=""
> mediacenter=""
> set skip on lo
> set loginterface egress
> block drop in all
> antispoof quick for (egress)
>
> match proto { udp tcp } to port { domain ntp } set prio 6
> match proto tcp to port ssh set prio 6
> match in all scrub (no-df max-mss 1440)
> anchor "inet" on $ext_if {
> block quick from <bruteforce>
> block all
> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
> pass inet proto icmp all icmp-type $icmp_types tag GOOD
> pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
> $mediacenter tag GOOD
> pass in inet proto tcp from any to any port {80,443} tag GOOD
> pass in inet proto tcp from any to any port 22 keep state (max-src-conn
> 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
> pass out from (self) to any tag GOOD
> pass out inet from $int_networks to any nat-to (egress) tag GOOD
> match out inet from $int_networks to any nat-to (egress) tag GOOD
> pass out inet6 from em2:network to any tag GOOD
> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
> GOOD
> block quick inet ! tagged GOOD
> }
>
> # > pfctl -f /etc/pf.conf
> pfctl: warning: namespace collision with <bruteforce> global table.
>
>
> Thank you for your help,
> Pedro Caetano
>
Hi Pedro,
In my experience, you only need the “global” table from main pf.conf.
Subsequent anchors can reference “global” tables (tables that have been
defined in pf.conf), but not the other way around.
- Jan
