IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / *BSD Forum / OpenBSD PF rules refresh
Post #237,285
by broomberg
12/7/05 2:56:53 PM
Reply
New OpenBSD PF rules refresh
Can I always safely reload the rules and expect it to not drop any current active connections?

I've done testing that shows it works, but I'd rather see something in the docs or FAQ that supports that statement.
Post #237,480
by folkert
Picture of folkert
12/9/05 2:28:39 PM
12/9/05 2:29:26 PM
Reply
New You have to use this kind of thing.
table <id439E4021.2> { FWexternIP , FWinternIP }


pass in quick inet proto tcp from yourIP to <id439E4021.2> port 22 modulate state label "RULE -1 -- ACCEPT "


I am assuming you have already done tables? pfctl can and does do tables. You should put these two lines first.

That will never deny access from that IP. The <id439E4021.2> is an arbitrary number. It could have been <id11111111.1> or <1fishingtime>

I am not sure about it severing connections and making them re-connect. Though, I have never heard of it doing that.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
Freedom is not FREE.
Yeah, but 10s of Trillions of US Dollars?
SELECT * FROM scog WHERE ethics > 0;

0 rows returned.
Expand Edited by folkert Dec. 9, 2005, 02:29:26 PM EST
Expand All History
     OpenBSD PF rules refresh - (broomberg) - (1) - Dec. 7, 2005, 02:56:53 PM EST
         You have to use this kind of thing. - (folkert) - Dec. 9, 2005, 02:29:26 PM EST

One of them was this cute little yellowtail, and she's giving me the eye. So I figured, this is my chance for a little fun. You know, piece o' Pisces.
59 ms