From nobody Wed Jul 12 19:51:47 2023
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R1T0F1HPmz4mfCl
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Wed, 12 Jul 2023 19:51:57 +0000 (UTC)
	(envelope-from SRS0=U++U=C6=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4R1T0C6x45z3lSK
	for <freebsd-hackers@freebsd.org>; Wed, 12 Jul 2023 19:51:55 +0000 (UTC)
	(envelope-from SRS0=U++U=C6=quip.cz=000.fbsd@elsa.codelab.cz)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=none (mx1.freebsd.org: domain of "SRS0=U++U=C6=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=U++U=C6=quip.cz=000.fbsd@elsa.codelab.cz";
	dmarc=none
Received: from elsa.codelab.cz (localhost [127.0.0.1])
	by elsa.codelab.cz (Postfix) with ESMTP id AD2DCD78A1
	for <freebsd-hackers@freebsd.org>; Wed, 12 Jul 2023 21:51:48 +0200 (CEST)
Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by elsa.codelab.cz (Postfix) with ESMTPSA id 1EA3CD7899
	for <freebsd-hackers@freebsd.org>; Wed, 12 Jul 2023 21:51:48 +0200 (CEST)
Message-ID: <e913ae94-6f9a-13e1-5a0e-9051a1356218@quip.cz>
Date: Wed, 12 Jul 2023 21:51:47 +0200
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.1
Subject: Re: dis/advantages of compiling in-kernel over kldload
To: freebsd-hackers@freebsd.org
References: <ZK7mnohS12eEYoV2@int21h>
 <F94E719F-C1BE-48C4-882D-AF42E3350ACB@FreeBSD.org> <ZK75GyQCxE1YzEav@int21h>
Content-Language: cs-Cestina
From: Miroslav Lachman <000.fbsd@quip.cz>
In-Reply-To: <ZK75GyQCxE1YzEav@int21h>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spamd-Result: default: False [-1.73 / 15.00];
	AUTH_NA(1.00)[];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.93)[-0.926];
	FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=U@elsa.codelab.cz];
	MIME_GOOD(-0.10)[text/plain];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	DMARC_NA(0.00)[quip.cz];
	RCVD_TLS_LAST(0.00)[];
	R_DKIM_NA(0.00)[];
	R_SPF_NA(0.00)[no SPF record];
	ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
	MIME_TRACE(0.00)[0:+];
	BLOCKLISTDE_FAIL(0.00)[89.177.27.225:server fail,94.124.105.4:server fail];
	ARC_NA(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	FROM_HAS_DN(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TAGGED_FROM(0.00)[U=C6=quip.cz=000.fbsd];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	TO_DN_NONE(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=U@elsa.codelab.cz]
X-Rspamd-Queue-Id: 4R1T0C6x45z3lSK
X-Spamd-Bar: -
X-ThisMailContainsUnwantedMimeParts: N

On 12/07/2023 21:03, void wrote:

[..]

> What I'd like to acheive is the following:
> 
> If pf fails to load its ruleset, allow ssh from only this safe IP range 
> and block everything else.

Take a look in to /etc/defaults/rc.conf or man rc.conf for some examples 
of pf_fallback variables. You can define simple rule or special file to 
load when your main ruleset (pf.conf) failed to load at boot time.

Enable fallback
pf_fallback_rules_enable="YES"

and then use one of these
pf_fallback_rules="block drop log all"
pf_fallback_rules_file="/etc/pf-fallback.conf"

Kind regards
Miroslav Lachman