Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-20 Thread Karl O. Pinc
On Tue, 20 Oct 2015 01:08:42 -0600 Devin Reade wrote: > > > > On Oct 19, 2015, at 18:26, Karl O. Pinc wrote: > > > But if you write DNS names into your pf.conf > > file then step 2 can be eliminated. All > > that's required is to reload the rules. > > > > Eliminating an extra editing step r

Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-20 Thread Devin Reade
> On Oct 19, 2015, at 18:26, Karl O. Pinc wrote: > But if you write DNS names into your pf.conf > file then step 2 can be eliminated. All > that's required is to reload the rules. > > Eliminating an extra editing step reduces > error. Unless of course your DNS is on your LAN and after a major p

Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-19 Thread Steve Shockley
On 10/19/2015 8:26 PM, Karl O. Pinc wrote: But if you write DNS names into your pf.conf file then step 2 can be eliminated. All that's required is to reload the rules. How often do you re-query DNS to update and reload the rules? What do you do in the case of multiple A records, or a CDN? I

Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-19 Thread Karl O. Pinc
On Mon, 19 Oct 2015 12:47:46 -0600 Theo de Raadt wrote: > > > The supplied patch allows the rc.conf(8) pf > > > variable to be set to MINIMAL (in addition to > > > the current YES and NO). A setting of MINIMAL > > > loads the rc(8) default pf ruleset and enables > > > pf. MINIMAL means that rc(

Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-19 Thread Theo de Raadt
> > The supplied patch allows the rc.conf(8) pf > > variable to be set to MINIMAL (in addition to > > the current YES and NO). A setting of MINIMAL > > loads the rc(8) default pf ruleset and enables > > pf. MINIMAL means that rc(8) does not load > > /etc/pf.conf. Any loading of /etc/pf.conf > >

Re: Exposing the rc(8) constructed pf ruleset, some patches

2015-10-19 Thread Karl O. Pinc
Well, since there's no attachments, I am including the patches inline. On Mon, 19 Oct 2015 10:27:16 -0500 "Karl O. Pinc" wrote: > Attached are 3 patches to -current for your > consideration. Apply with: > > cd /usr/src > patch -p1 ... > > The first, expose-default-pf-rules.patch, lets > t

Exposing the rc(8) constructed pf ruleset, some patches

2015-10-19 Thread Karl O. Pinc
Hello, Attached are 3 patches to -current for your consideration. Apply with: cd /usr/src patch -p1 ... The first, expose-default-pf-rules.patch, lets the sysadm use the rc(8) constructed default pf ruleset. This ability was, in a sense, compromised when 5.8 eliminated the pf_rules variabl