I was missing the anchor argument in pf when listing tables.
Thank you for your insight,
Pedro Caetano
On Thu, Nov 10, 2016 at 6:16 AM, Jan Kalkus <jkal...@gmail.com> wrote:
>
> > On Nov 9, 2016, at 10:37 PM, Jan Kalkus <jkal...@gmail.com> wrote:
> >
> >> Hi,
> >>
> >> How does one use the overload state option inside an anchor?
> >>
> >> I'm running -current (7th november snapshot) 64bit, sample pf
> >> configurations follow with two different configuration attempts.
> >> Both print the following warning:
> >>
> >> pfctl: warning: namespace collision with <bruteforce> global table.
> >>
> >>
> >> sample pf configurations below:
> >>
> >> table <bruteforce>
> >> icmp_types = "{ echoreq, unreach }"
> >> ext_if=""
> >> int_if="{ em1 em2 em3 }"
> >> int_networks="{ em1:network, em2:network, em3:network }"
> >> v6broker=""
> >> v6resolver=""
> >> mediacenter=""
> >> set skip on lo
> >> set loginterface egress
> >> block drop in all
> >> antispoof quick for (egress)
> >>
> >> match proto { udp tcp } to port { domain ntp } set prio 6
> >> match proto tcp to port ssh set prio 6
> >> match in all scrub (no-df max-mss 1440)
> >> anchor "inet" on $ext_if {
> >> block quick from <bruteforce>
> >> block all
> >> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
> >> pass inet proto icmp all icmp-type $icmp_types tag GOOD
> >> pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
> >> $mediacenter tag GOOD
> >> pass in inet proto tcp from any to any port {80,443} tag GOOD
> >> pass in inet proto tcp from any to any port 22 keep state
> (max-src-conn
> >> 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag
> GOOD
> >> pass out from (self) to any tag GOOD
> >> pass out inet from $int_networks to any nat-to (egress) tag GOOD
> >> match out inet from $int_networks to any nat-to (egress) tag GOOD
> >> pass out inet6 from em2:network to any tag GOOD
> >> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
> >> GOOD
> >> block quick inet ! tagged GOOD
> >> }
> >>
> >> # > pfctl -f /etc/pf.conf
> >> pfctl: warning: namespace collision with <bruteforce> global table.
> >>
> >>
> >>
> >>
> >> table <bruteforce>
> >> icmp_types = "{ echoreq, unreach }"
> >> ext_if=""
> >> int_if="{ em1 em2 em3 }"
> >> int_networks="{ em1:network, em2:network, em3:network }"
> >> v6broker=""
> >> v6resolver=""
> >> mediacenter=""
> >> set skip on lo
> >> set loginterface egress
> >> block drop in all
> >> antispoof quick for (egress)
> >>
> >> match proto { udp tcp } to port { domain ntp } set prio 6
> >> match proto tcp to port ssh set prio 6
> >> match in all scrub (no-df max-mss 1440)
> >> anchor "inet" on $ext_if {
> >> block quick from <bruteforce>
> >> block all
> >> pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
> >> pass inet proto icmp all icmp-type $icmp_types tag GOOD
> >> pass in inet proto {tcp,udp} from any to any port 45555 rdr-to
> >> $mediacenter tag GOOD
> >> pass in inet proto tcp from any to any port {80,443} tag GOOD
> >> pass in inet proto tcp from any to any port 22 keep state
> (max-src-conn
> >> 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag
> GOOD
> >> pass out from (self) to any tag GOOD
> >> pass out inet from $int_networks to any nat-to (egress) tag GOOD
> >> match out inet from $int_networks to any nat-to (egress) tag GOOD
> >> pass out inet6 from em2:network to any tag GOOD
> >> pass out inet6 proto udp from em2:network to $v6resolver port 53 tag
> >> GOOD
> >> block quick inet ! tagged GOOD
> >> }
> >>
> >> # > pfctl -f /etc/pf.conf
> >> pfctl: warning: namespace collision with <bruteforce> global table.
> >>
> >>
> >> Thank you for your help,
> >> Pedro Caetano
> >>
> >
> > Hi Pedro,
> >
> > In my experience, you only need the `global' table from main pf.conf.
> >
> > Subsequent anchors can reference `global' tables (tables that have been
> defined in pf.conf), but not the other way around.
> >
> > - Jan
>
> Apologies, I misinterpreted your configurations.
>
> I would first compare the outputs of the following two commands:
>
> `pfctl -s Tablesâ
> `pfctl -a inet -s Tablesâ
>
> to make sure there are no overlapping tables between the two.
>
> I have also had trouble with table collisions when accidentally creating a
> table with an identical name inside an anchor. I usually clear out the
> duplicate table from that anchor with a reboot.
>
> - Jan
