On 2006/09/09 18:04, steve szmidt wrote: > On Saturday 09 September 2006 17:59, Stuart Henderson wrote: > > On 2006/09/09 16:40, steve szmidt wrote: > > > I also added proper data to all table files to ensure it does not mess > > > things up. Though the persist command should allow for empty files. > > > > Do your tables actually load? Check pfctl -t tablename -Ts. > > If not, does pfctl -vvt tablename -Tr -f /path/to/file offer clues? > > Yes, running fine.
So, - the only difference in pf.conf between working and not-working is that working uses addresses directly in the rules, and not-working uses tables; - your tables did load correctly and show the addresses with -Ts Maybe it would help to post pfctl -sr -vv with the direct entry (i.e. working) and table (i.e. not-working). Perhaps pfctl -sT -v too. > > > pass out log on $WAN proto tcp from <managers> to <http-managers> port > > > $Web > > > > Remember the DNS lookup happens only when the rules are loaded. > > Is it acceptable to lose access to these sites when they change > > address? Also by listing names right in PF config or tables > > you're relying on working DNS to load the rules correctly. > > Of course. But without DNS it does not work anyway... well, by listing numeric addresses, it will work as soon as DNS unbreaks - by listing names, if just one entry fails to resolve, the whole file will not be loaded.
