Sometimes when installing new rules in pf.conf from a remote location your connection to the firewall gets dropped. To avoid this you can fire up screen (or tmux if you like) and then execute:
# sleep 5; pfctl -Fall -f /etc/pf.conf
That way you have enough time to detach from screen, logout and then login again to check the proper application of the new rules. Of course there is always the possibility of not being able to reconnect due to logic errors in pf.conf, but hey he who made no mistakes never built anything.
2 thoughts on “A simple pf.conf trick”
You could easily implement something like ferm’s interactive mode:
1. Dump current ruleset
2. Apply new ruleset
3. Prompt user for confirmation
4. If a specified time interval elapses, revert to the old ruleset.
By the way, ferm is a very convenient frontend for iptables, it’s big advantages being a powerful language, custom macro definitions and dual-stack (v4-v6) rule generation.
Ferm seems cool, but we work with pf ever since ipfilter was removed from OpenBSD 3.0. Actually one of the reasons of using sleep+screen is #4: Being able to login after the rules have been applied and run a command that will prevent reloading the previous ruleset after a certain amount of time. But you can’t always teach an old dog new tricks.