On Fri, Jan 10, 2003 at 07:53:47AM +0100, Saad Kadhi wrote:
> > echo 'block in quck from $attacker to any' | pfctl -a attacks -R -f -
> is the '-R' flag required for this? wouldn't it just make pf reload the
> whole bunch of rules instead of just adding a rule to the anchor rule
> subset?
No, when -a anchorname is specified, the entire pfctl invocation applies
only to that anchor ruleset. So -f means 'load the rules into the anchor',
-Fr means 'flush the filter rules from the anchor', -sr 'show the filter
rules in the anchor', etc.
An anchor can also contain nat/binat/rdr rules. If it does, there's a
difference between
echo 'block in quick from 10.1.2.3 to any' | pfctl -a foo:bar -R -f -
and
echo 'block in quick from 10.1.2.3 to any' | pfctl -a foo:bar -f -
The latter will remove not just the existing filter rules in anchor
foo's ruleset bar first, but nat/binat/rdr rules, too. The former
just replaces the filter rules in foo:bar. If you created the
sub-ruleset just to hold such block rules, and know there are no
translation rules, it doesn't matter. But -R doesn't make the command
apply to the main ruleset in this case, it means 'only process filter
rules (in the anchor ruleset that was specified)'.
Daniel
