[nycbug-talk] pf tables

Okan Demirmen okan at demirmen.com
Sun Jul 30 20:22:12 EDT 2006


On Sun 2006.07.30 at 20:05 -0400, David Lawson wrote:
> I've actually found it simpler and cleaner to add an IP to the  
> persist file and reload pf, since that ensures your currently running  
> ruleset is exactly what you have on disk, thus avoiding situations  
> like this one.  Or, alternatively, you could use a couple line script  
> to append an IP to the end of the file and insert it into the table  
> in pf at the same time.

look at how dru, rather pf(4), is populating the table...(her rules are
somewhere in the thread.) overloading is done in the kernel. so...the ip
will always hit the table first. sure, you can dump the table and reload
it, hence the reason why i mentioned cron(8) (or of course to take
snapshots of the table every once in a while, maybe in daily.local, just
in case.)

this is not saying it can't be done your way for this particular
scenario; you just have to write it, or find someone who will/has.



More information about the talk mailing list