On Wed, Jan 02, 2008 at 12:33:32PM +0100, Henrik Johansen wrote: > Whenever I ran '/sbin/pfctl -Fr -f /etc/pf.conf' ICMP packets started > to slip through for a second and a couple of states related to those > ICMP packets were created. > > The only time ICMP packets got through the firewall was when I reloaded > the ruleset. > > The box in question is running OpenBSD 4.1-STABLE and the ruleset in > question is using a "default deny" policy. > > Is that expected behaviour ?
This is precisely the reason why -Fr is not only superfluous in this case, but also harmful. pfctl -f /etc/pf.conf alone does precisely what you want: load the new ruleset, and when it is loaded successfully, switch the old and new rulesets, releasing the old one. It does this in an "atomic" operation, in between two packets being filtered. The first packet is still filtered by the full old ruleset, the second packet (and all subsequent packets, of course) by the full new ruleset. By adding -Fr you make pfctl first flush (remove the old ruleset), and a couple of milliseconds later load the new ruleset. The combination is not atomic, that is, in between the first and second operation, packets may get filtered by the empty ruleset (which is pass keep state by default). I don't know why people use the -Fr -f combination. Is it a left-over from IPFilter days? Were you assuming a -f alone would do something else? Like what, append the file, duplicating the rules? :) Daniel
