Uhhmm …. But this is not the case .... I have only referenced the <brutefroce>
table once. Complete rules:
table <bruteforce> persist counters
#
# Specific options for exposed services
#
exposed_tcp = "(max-src-conn 10, max-src-conn-rate 15/5, overload <bruteforce>
flush global)"
exposed_udp = "(max-src-conn 30, max-src-conn-rate 10/1, overload <bruteforce>
flush global)"
#############################################
#
# Default policy rules
#
#############################################
# Block brute force access
block quick log from <bruteforce> label "Block access from bruteforce hosts"
#---------------------------------------------------
# Policy for inbound connections to egress interface
#---------------------------------------------------
#
# Group of rules for exposed public services
#
anchor inet from !<internal_networks> to (carp1) tag inet-to-enc {
pass in log (all, to pflog1) proto udp to port $pub_port keep state
$exposed_udp rdr-to $encgw01 port $pub_port
}
> On 12 Jan 2022, at 18:50, Marin BERNARD <li...@olivarim.com> wrote:
>
> Hi,
>
> Your anchor is probably defined twice, once in the main ruleset, and
> once more in the context of the 'pub-network/_2' anchor.
>
> In such case a warning is shown to let you know that this is not
> recommended practice.
>
> From pfctl(8) man page (http://man.openbsd.org/pfctl#a):
>
>> When a rule referring to a table is loaded in an anchor, the rule
>> will use the private table if one is defined, and then fall back to
>> the table defined in the main ruleset, if there is one. This is
>> similar to C rules for variable scope. It is possible to create
>> distinct tables with the same name in the global ruleset and in an
>> anchor, but this is often bad design and a warning will be issued in
>> that case.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> Le mercredi 12 janvier 2022 à 11:58, Carlos Lopez <clo...@outlook.com> a
> écrit :
>
>> Hi all,
>>
>
>> I have a strange issue when I use a pf table inside an anchor. Error
>> returned is:
>>
>
>> pfctl: warning: table <bruteforce> already defined in anchor "pub-network/_2”
>>
>
>> Table <bruteforce> is defined in global pf.conf file. In pf.conf I have
>> defined some anchors by interface, like this:
>>
>
>> Group of rules for public network
>> =================================
>>
>
>> anchor "pub-network" on egress
>>
>
>> load anchor pub-network from "/etc/fwrules/publan.conf”
>>
>
>> Inside public.conf I have the rule that returns this warning:
>>
>
>> exposed_tcp = "(max-src-conn 10, max-src-conn-rate 15/5, overload
>> <bruteforce> flush global)”
>>
>
>> anchor inet from !<internal_networks> to (carp1) tag inet-to-enc {
>>
>
>> pass in log (all, to pflog1) proto tcp to port $my_port keep state
>> $exposed_tcp rdr-to $encgw01 port $my_port
>>
>
>>
>
>> }
>>
>
>> How can I fix it? Or maybe am I doing some mistake?
> <publickey - li...@olivarim.com - 0xFD5D9CF2.asc>
