FreeBSD Bugzilla – Attachment 220012 Details for
Bug 251414
pf sometimes panics when reloading ruleset with tables
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
pf.conf
pf.conf (text/plain), 3.84 KB, created by
sigsys
on 2020-11-26 21:07:34 UTC
(
hide
)
Description:
pf.conf
Filename:
MIME Type:
Creator:
sigsys
Created:
2020-11-26 21:07:34 UTC
Size:
3.84 KB
patch
obsolete
>int_ifs = lan0 lan1 >ext_ifs = ext_isp1 ext_isp2 ext_vpn1 > >fib_isp1 = 0 >fib_isp2 = 1 >fib_vpn1 = 7 > >default_fib = 0 > >rtable_switch = "! 10.0.0.0/8" > >jails = "127.0.3.0/24 10.0.3.0/24" >jail_test0 = "127.0.3.2 10.0.3.2" >jail_test1 = "127.0.3.3 10.0.3.3" >jail_test2 = "127.0.3.4 10.0.3.4" >jail_test3 = "127.0.3.5 10.0.3.5" >jail_test4 = "127.0.3.6 10.0.3.6" >jail_test5 = "127.0.3.7 10.0.3.7" >jail_test6 = "127.0.3.8 10.0.3.8" >jail_test7 = "127.0.3.9 10.0.3.9" > >vm_bridges = "bridge0" >vm_hub = "10.5.0.1" >vm_networks = "10.5.0.0/24" > >############################################################################## > >scrub out on { $ext_ifs } no-df random-id >scrub in on { $ext_ifs } fragment reassemble >scrub on { $ext_ifs } reassemble tcp > >############################################################################## > >nat on ext_isp1 from !(ext_isp1:network) -> (ext_isp1) >nat on ext_isp2 from !(ext_isp2:network) -> (ext_isp2) >nat on ext_vpn1 from !(ext_vpn1:network) -> (ext_vpn1) > >rdr on ext_isp1 inet proto { tcp udp } to (ext_isp1) port { 24671 45313 } tag REDIR_ISP1 -> 10.0.0.2 >rdr on ext_isp1 inet proto { tcp udp } to (ext_isp1) port 42429 tag REDIR_ISP1 -> 10.0.0.5 >rdr on ext_vpn1 inet proto { tcp udp } to (ext_vpn1) port 5501 tag REDIR_VPN1 -> 10.0.0.5 port 5501 >rdr on ext_vpn1 inet proto { tcp udp } to (ext_vpn1) port 4444 tag REDIR_VPN1 -> 10.0.0.2 port 4444 > >############################################################################## > >block log all > >############################################################################## > >block in on { $ext_ifs } to { 255.255.255.255 224.0.0.0/8 } # less log noise >#pass in on { $ext_ifs } proto udp from port dhcps to port dhcpc > >pass in on ext_isp1 tagged REDIR_ISP1 rtable $fib_isp1 >pass in on ext_isp2 tagged REDIR_ISP2 rtable $fib_isp2 >pass in on ext_vpn1 tagged REDIR_VPN1 rtable $fib_vpn1 > >############################################################################## > >table <via_isp1> persist >table <via_isp2> persist >table <via_vpn1> persist >table <via_null> persist > >table <firehol-level1> persist file "/etc/pf/firehol-level1-blocklist.tab" > >pass in on { $int_ifs } >anchor to { $rtable_switch } { # Don't set fib for all packets, it messes with the rdr rules somehow. > pass in on { $int_ifs } rtable $default_fib > pass in log on { $int_ifs } to <firehol-level1> rtable $default_fib > pass in on { $int_ifs } from <via_isp1> rtable $fib_isp1 > pass in on { $int_ifs } from <via_isp2> rtable $fib_isp2 > pass in on { $int_ifs } from <via_vpn1> rtable $fib_vpn1 >} >block in on { $int_ifs } from <via_null> > >############################################################################## > >pass in on { $vm_bridges } > >block in on { $vm_bridges } to (self) > >pass in proto { udp tcp } from $vm_networks to { 10.0.0.5 $vm_hub } port domain >pass in proto tcp from $vm_networks to 10.0.0.5 port smtp > >pass in on tap4 from 10.6.0.3 >pass in on tap5 from 10.6.0.5 >pass in on tap6 from 10.6.0.9 >pass in on tap7 from 10.6.0.11 > >############################################################################## > >pass in on lo from (self) > >############################################################################## > >block in log from { $jails } > >pass in from { $jail_test0 } to { $jail_test0 } >pass in from { $jail_test1 } to { $jail_test1 } >pass in from { $jail_test2 } to { $jail_test2 } >pass in from { $jail_test3 } to { $jail_test3 } >pass in from { $jail_test4 } to { $jail_test4 } >pass in from { $jail_test5 } to { $jail_test5 } >pass in from { $jail_test6 } to { $jail_test6 } >pass in from { $jail_test7 } to { $jail_test7 } > >pass in proto { udp tcp } from { $jails } to 10.0.0.5 port domain > >pass in proto tcp from { $jails } to 10.0.0.5 port smtp > >############################################################################## > >block in log from no-route >block in log from urpf-failed > >############################################################################## > >pass out
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=220012">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 251414
: 220012 |
220013