Re: pf add not working

["D'Arcy J.M. Cain" <darcy%NetBSD.org@localhost>]

On Sun, 23 Nov 2014 16:41:59 +0100
Zoran Kolic <zkolic%sbb.rs@localhost> wrote:
> > I have set up an intrusion detection system on my ISP.  In my
> > pf.conf I have the following two lines.
> > table <AUTOBLOCK> persist
> > block in quick log on $ext_if from <AUTOBLOCK>
> 
> Openbsd and netbsd versions might differ a lot.
> It should read a file from file system and act
> accordingly. Good thinking and possible.

No, it does both.  You can load a file at start or reload time and you
can modify existing tables dynamically.  I do both.  The AUTOBLOCK
table is the dynamic one.

> > udp = "pass in log on $ext_if proto udp from any to any port %s no
> > state" ### no line break in actual script
> 
> pass in log on $ext_if proto { tcp, udp, icmp } from any to any
> modulate state
> 
> I think you should have not "no state for udp". Try to remove it.

Huh?  Keeping state is exactly why, I believe, it was not working
properly.  Adding "no state" was the critical change.

> What if you remove "no state"?

Then it will once again treat continuing connections as the same
connection and fail to block it.

> I will have to reread a manual to see how pf takes an input
> from the file. I'm pretty sure you have to add state to udp,
> but I might be wrong.
> Netbsd version of pf could work differently than in manual.

The manual explains how to keep state or not.  What makes you think
that you *must* keep state for UDP.  To my way of thinking not keeping
state should be the default for UDP, at least for incoming connections.

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost