Updating PF to OpenBSD Release 4,1

Chris Turner c.turner at 199technologies.org
Fri Jul 23 13:12:47 PDT 2010

On Fri, Jul 23, 2010 at 07:51:48AM +0200, Jan Lentfer wrote:
> Matthew Dillon schrieb:
> >    default to be that a router reboot causes all active TCP connections
> >    to get RST'd.

I think the 'openbsd preferred' way for 'router reboots' is to carp + 
pfsync 2 routers and do any maintenance updates that way.. 
of course this presupposes sufficient hardware.. 
IIRC pfsync is a 'versioned' protocol so it's forward compatible with 
itself.. which brings up carp + pfsync - was this tested / does this apply?

(I recall some breakage previously - 
 don't remember if that was sorted out or not..)

> Hmm... I use PF on OpenBSD 4.6 as my primary router to internet. I am 
> quite sure that rdr rules are subject to nat'ing but I will try to 
> create a test setup to evaluate.

am currently sshed in to a df machine behind a ssh-port forwarded openbsd 
soekris that is on a nat behind another port forwarded nat (some linksys box)
so yeah - works for me too - also worked on 2.4 dragonfly IIRC with 
http rdr + nat - before I setup the soekris I had a 2-node mini net
on the same 'wide area lan' linksys setup.. so works in the 'reference' 
and I 'm pretty sure it worked on 2.4 (maybe 2.5) dragonfly too..

can send pf.conf from both along if that would help if perhaps there 
is some unknown bug..

oh right - and THIS IS AWESOME GOOD JOB!


- Chris

