Daniel Ouellet wrote: >> If this was to be implemented, it might be more appropriate to show in >> the >> runtime state (pfctl -si) than the rule output. > > I don't know. May be may be not. But I got cut with this. I had a > sysadmin do changes in a pretty big multi interface box and he use the > set skip to test new rules on individual interface as I guess it started > to be to big, I can't explain. But in any case, I started to see pass > that some strange things that shouldn't be there and looking at the > pfctl -sr at work, I never saw anything that would explain it. > > After many hours of work, I thought that may be there might be a bug > somehow. Look in that directions and a few more days pass. > > Someone time the most obvious is not what jump at you and in the end, I > started to look in more details to the rules instead of the pfctl -sr > until I saw the set skip in there. > > So, in the end, it is very stupid that I agree with 100%! > > No one else to blame then the sysadmin and myself to assume that pfctl > -sr would show me what's active at the time. > > I felt into that trap and that's why I was asking if it wouldn't make > sense to see what's actually active when you are looking at the live > configuration running on the system. > > I took for granted that looking at the live rules was telling me that's > what is actively filter. Believe me, I will not felt into that trap > again, but I thought after a many hours that I could have saved, that > may be it might be very useful for someone else may be. > > I just thought that if you look at the live configuration, it should > show the life configuration. > > That was just my take on it after a real life trap that I don't have > anyone to blame then myself for not looking at the details configuration > line by line sooner. > > In any case, thanks for the feedback. That's a mistake I will not repeat > again! (;> > > Daniel > > pfctl -sI -vv shows you if an interface is skipped or not.
My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
