Holger, we should adhere to KISS principle.
So, pf rulesets are fine like they are if they are working as expected,
and this is our case. If you're missing some warning feature maybe you
would try to write an aux app -` la lint for C- that could parse a
pf.conf and look for suspect behaviour.
But keep in mind, these needs are not usual between heavy users of pf,
so it's unlikely it would be implemented anytime soon -never is more
like it-.
Regards!
Dani
Paul de Weerd escribis:
On Fri, Jul 17, 2009 at 11:11:22AM +0200, Holger Glaess wrote:
| you are right but i think it is really helpful if pfctl give an
| warning if he found those kind of line that you can decide if this
| rule to want or a miss typo that have to be correct.
And the next guy wants a warning when you block ssh access. Then the
next guy has yet other things he thinks his firewall should never
allow and wants to get warned when his rules do not match that. Yet
another guy wants warnings for whatever it is he doesn't want his
firewall to do.
What I think you want is `pfctl -vf /etc/pf.conf`. The -v will tell
you what rules are loaded. Should be enough warning for you. If you
can't verify your ruleset after loading it, I really think you have
bigger problems than what can be solved with a warning.
Paul 'WEiRD' de Weerd
