commit e7262d2eea3e41eb401166acdbc8be6c2e323211
parent c2f377beca81726251feeb15eb5e873327e891ec
Author: Chris Bracken <chris@bracken.jp>
Date: Sat, 10 Jul 2021 11:59:39 -0700
FreeBSD: Add blacklistd_flags
Unclear whether starting with -r is required, but every example I see
where blacklistd is used with pf includes it. The manpage isn't as clear
as it could be with regards to what's actually happening under the hood
here.
Diffstat:
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/freebsd_install.md b/freebsd_install.md
@@ -523,8 +523,8 @@ To run a check on our config file without yet applying it:
Next, we'll start `pf`, but since many a system administrator has found
themselves locked out of their own server by applying a bad config, it's
useful to queue up a command to disable the firewall after two minutes.
-In another terminal, log into the remote machine, get a root shell using
-`sudo -s`, then run the following:
+In another terminal, log into the remote machine, get a *root* shell
+using `sudo -s`, then run the following:
# Sleep 2 minutes, then disable pf.
sleep 120; pfctl -d
@@ -573,9 +573,14 @@ First, we'll add a pf anchor for blacklistd blocks in `/etc/pf.conf`:
anchor "blacklistd/*" in on $ext_if
-Next we'll enable it on boot. Add the following line to `/etc/rc.conf`:
+Next we'll enable it on boot. We start the daemon with the `-r` flag, which
+tells it to re-read the firewall rules from the internal database and remove
+then re-add them; this is useful for packet filters that don't retain state
+across restarts, though it's unclear to me whether this is the case for `pf`.
+Add following lines to `/etc/rc.conf`:
blacklistd_enable="YES"
+ blacklistd_flags="-r"
Nest, start the blacklistd service:
