On 20 Jun 2017 at 14:17, Alen Mistric wrote:
> Howdy!
>
> I have a global table defined in pf.conf that I would like to use in
> both the main rule set and inside an anchor. However, I keep getting
> a namespace collision when I reload the configuration file. I can't
> quite figure out from reading the man pages if you're not supposed
> to use a global table inside an anchor or if I'm just doing it the
> wrong way. Any ideas?
Unfortunately, this is a known limitation in current PF -- you can use global
tables
in an anchor strictly in read-only mode. Any attempt to modify a table within
an
anchor results in the creation of an anchor-local table with identical name
which
also prevents any subsequent access to the global table.
>
> table <bruteforce> persist
> block quick from <bruteforce>
>
> pass in proto tcp to port ssh modulate state \
> (max-src-conn-rate 5/3, overload <bruteforce> flush global)
>
> anchor "ftp" {
> pass in proto tcp to port ftp modulate state \
> (max-src-conn 2, overload <bruteforce> flush global )
> pass in proto tcp to port { 40000:50000 }
> pass out proto tcp to port ftp
> }
>
