usage of pf overload table option inside anchors

Tue, 08 Nov 2016 15:55:08 -0800 

Hi,

How does one use the overload state option inside an anchor?

I'm running -current (7th november snapshot) 64bit, sample pf
configurations follow with two different configuration attempts.
Both print the following warning:

pfctl: warning: namespace collision with <bruteforce> global table.


sample pf configurations below:

table <bruteforce>
icmp_types = "{ echoreq, unreach }"
ext_if=""
int_if="{ em1 em2 em3 }"
int_networks="{ em1:network, em2:network, em3:network }"
v6broker=""
v6resolver=""
mediacenter=""
set skip on lo
set loginterface egress
block drop in all
antispoof quick for (egress)

match proto { udp tcp } to port { domain ntp } set prio 6
match proto tcp to port ssh set prio 6
match in all scrub (no-df max-mss 1440)
anchor "inet" on $ext_if {
    block quick from <bruteforce>
    block all
    pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
    pass inet proto icmp all icmp-type $icmp_types tag GOOD
    pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
$mediacenter tag GOOD
    pass in inet proto tcp from any to any port {80,443} tag GOOD
    pass in inet proto tcp from any to any port 22 keep state (max-src-conn
50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
    pass out from (self) to any tag GOOD
    pass out inet from $int_networks to any nat-to (egress) tag GOOD
    match out inet from $int_networks to any nat-to (egress) tag GOOD
    pass out inet6 from  em2:network to any tag GOOD
    pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
GOOD
    block quick inet ! tagged GOOD
        }

# > pfctl -f /etc/pf.conf
pfctl: warning: namespace collision with <bruteforce> global table.




table <bruteforce>
icmp_types = "{ echoreq, unreach }"
ext_if=""
int_if="{ em1 em2 em3 }"
int_networks="{ em1:network, em2:network, em3:network }"
v6broker=""
v6resolver=""
mediacenter=""
set skip on lo
set loginterface egress
block drop in all
antispoof quick for (egress)

match proto { udp tcp } to port { domain ntp } set prio 6
match proto tcp to port ssh set prio 6
match in all scrub (no-df max-mss 1440)
anchor "inet" on $ext_if {
    block quick from <bruteforce>
    block all
    pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
    pass inet proto icmp all icmp-type $icmp_types tag GOOD
    pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
$mediacenter tag GOOD
    pass in inet proto tcp from any to any port {80,443} tag GOOD
    pass in inet proto tcp from any to any port 22 keep state (max-src-conn
50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
    pass out from (self) to any tag GOOD
    pass out inet from $int_networks to any nat-to (egress) tag GOOD
    match out inet from $int_networks to any nat-to (egress) tag GOOD
    pass out inet6 from  em2:network to any tag GOOD
    pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
GOOD
    block quick inet ! tagged GOOD
        }

# > pfctl -f /etc/pf.conf
pfctl: warning: namespace collision with <bruteforce> global table.


Thank you for your help,
Pedro Caetano

Reply via email to