> On Nov 9, 2016, at 10:37 PM, Jan Kalkus <[email protected]> wrote:
>
>> Hi,
>>
>> How does one use the overload state option inside an anchor?
>>
>> I'm running -current (7th november snapshot) 64bit, sample pf
>> configurations follow with two different configuration attempts.
>> Both print the following warning:
>>
>> pfctl: warning: namespace collision with <bruteforce> global table.
>>
>>
>> sample pf configurations below:
>>
>> table <bruteforce>
>> icmp_types = "{ echoreq, unreach }"
>> ext_if=""
>> int_if="{ em1 em2 em3 }"
>> int_networks="{ em1:network, em2:network, em3:network }"
>> v6broker=""
>> v6resolver=""
>> mediacenter=""
>> set skip on lo
>> set loginterface egress
>> block drop in all
>> antispoof quick for (egress)
>>
>> match proto { udp tcp } to port { domain ntp } set prio 6
>> match proto tcp to port ssh set prio 6
>> match in all scrub (no-df max-mss 1440)
>> anchor "inet" on $ext_if {
>> block quick from <bruteforce>
>> block all
>> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
>> pass inet proto icmp all icmp-type $icmp_types tag GOOD
>> pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
>> $mediacenter tag GOOD
>> pass in inet proto tcp from any to any port {80,443} tag GOOD
>> pass in inet proto tcp from any to any port 22 keep state (max-src-conn
>> 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
>> pass out from (self) to any tag GOOD
>> pass out inet from $int_networks to any nat-to (egress) tag GOOD
>> match out inet from $int_networks to any nat-to (egress) tag GOOD
>> pass out inet6 from em2:network to any tag GOOD
>> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
>> GOOD
>> block quick inet ! tagged GOOD
>> }
>>
>> # > pfctl -f /etc/pf.conf
>> pfctl: warning: namespace collision with <bruteforce> global table.
>>
>>
>>
>>
>> table <bruteforce>
>> icmp_types = "{ echoreq, unreach }"
>> ext_if=""
>> int_if="{ em1 em2 em3 }"
>> int_networks="{ em1:network, em2:network, em3:network }"
>> v6broker=""
>> v6resolver=""
>> mediacenter=""
>> set skip on lo
>> set loginterface egress
>> block drop in all
>> antispoof quick for (egress)
>>
>> match proto { udp tcp } to port { domain ntp } set prio 6
>> match proto tcp to port ssh set prio 6
>> match in all scrub (no-df max-mss 1440)
>> anchor "inet" on $ext_if {
>> block quick from <bruteforce>
>> block all
>> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
>> pass inet proto icmp all icmp-type $icmp_types tag GOOD
>> pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
>> $mediacenter tag GOOD
>> pass in inet proto tcp from any to any port {80,443} tag GOOD
>> pass in inet proto tcp from any to any port 22 keep state (max-src-conn
>> 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
>> pass out from (self) to any tag GOOD
>> pass out inet from $int_networks to any nat-to (egress) tag GOOD
>> match out inet from $int_networks to any nat-to (egress) tag GOOD
>> pass out inet6 from em2:network to any tag GOOD
>> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
>> GOOD
>> block quick inet ! tagged GOOD
>> }
>>
>> # > pfctl -f /etc/pf.conf
>> pfctl: warning: namespace collision with <bruteforce> global table.
>>
>>
>> Thank you for your help,
>> Pedro Caetano
>>
>
> Hi Pedro,
>
> In my experience, you only need the `global' table from main pf.conf.
>
> Subsequent anchors can reference `global' tables (tables that have been
defined in pf.conf), but not the other way around.
>
> - Jan
Apologies, I misinterpreted your configurations.
I would first compare the outputs of the following two commands:
`pfctl -s Tables’
`pfctl -a inet -s Tables’
to make sure there are no overlapping tables between the two.
I have also had trouble with table collisions when accidentally creating a
table with an identical name inside an anchor. I usually clear out the
duplicate table from that anchor with a reboot.
- Jan
