On Fri, Aug 18, 2017 at 07:31:05PM +0200, Otto Moerbeek wrote:
> On Sat, Aug 12, 2017 at 02:40:41PM +0200, Walter Alejandro Iglesias wrote:
> 
> > In article <20170812123632.p7zgt2l4kz43y...@symphytum.spacehopper.org> you 
> > wrote:
> > > On 2017/08/12 14:33, Walter Alejandro Iglesias wrote:
> > > > In article <5127ac707aa6f...@server.roquesor.com> you wrote:
> > > > > Hi Stuart,
> > > > > 
> > > > > In article <slrnootn18.31bc....@naiad.spacehopper.org> you wrote:
> > > > > > On 2017-08-12, Walter Alejandro Iglesias <w...@roquesor.com> wrote:
> > > > > > > Yesterday while copying a big file from one machine to another in 
> > > > > > > my LAN
> > > > > > > I noticed that restarting pf:
> > > > > > >
> > > > > > >   # pfctl -d && pfctl -e -f /etc/pf.conf
> > > > > > >
> > > > > > > scp stops and quits showing this message:
> > > > > > >
> > > > > > >   - stalled - Conection reset by 192.168.1.*  Lost connection
> > > > > > >
> > > > > > >
> > > > > > > Is this expected or is a bug?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > 
> > > > > > Expected.
> > > > > > 
> > > > > > PF is a state-inspecting firewall and verifies things like TCP 
> > > > > > sequence
> > > > > > numbers; it needs to see the initial connection handshake to pick 
> > > > > > up the
> > > > > > wscale value.
> > > > > > 
> > > > > > I would recommend just reloading the ruleset rather than disabling 
> > > > > > and
> > > > > > re-enabling PF first.
> > > > > > 
> > > > > > 
> > > > > 
> > > > > I have this rule:
> > > > > 
> > > > > block in log quick inet proto tcp from <port22> to port ssh
> > > > > 
> > > > > That reads IPs from a the "port22" file which is updated from a script
> > > > > in a cronjob.  I ignore which command to use to re-read that file
> > > > > without causing the interrupt.
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > You mean doing only this?
> > > > 
> > > > # pfctl -f /etc/pf.conf
> > > 
> > > Yes.
> > > 
> > > 
> > 
> > I just tried it and works OK.  Thank you very much.
> > 
> 
> A bit reply late due to vacation...
> 
> I would like to stress that disable and then a reload is a
> dangerous practise. Apart from the fact that it looses state it also
> will leave pf disabled if you made a syntax error in your ruleset.

Yes, I was worried about that.

> 
> Please just do a reload: it is much more safer: it will first
> validate the new ruleset and then *atomically* replace the old with
> the new ruleset, leaving intact any relevant state information.

I don't remember exactly what made me think that in the specific case of
tables reading IP lists from files a reload wasn't enough.  Something
wrong I did while testing lead me to wrong conclusions. :-)


Thank you!


> 
>       -Otto


Walter

Reply via email to