He VPN’d in, his coffee cold before he’d even poured it. The first command was ritual.
But he knew the real story. The firewall had been working fine. Until the moment it wasn't. And the difference between those two moments was a single line in a changelog no one had read, and a list of IP addresses wrapped in the wrong kind of curly braces.
His stomach turned to ice. Current. Not -release . Not -stable . Someone—a junior with a cowboy hat and a cron job—had pointed their package repository to the bleeding-edge snapshots. And the new PF, the one in 7.5-current , had changed.
echo "table <api_sources> persist 10.88.12.0/24, 10.88.13.0/24 " >> /etc/pf.conf sed -i '87s/from .* /from <api_sources>/' /etc/pf.conf pf configuration incompatible with pf program version
gw-04-dfw wasn't just in a backup state. It was a naked machine on the public internet, its interface wide open.
/var/log/messages: pfctl: /etc/pf.conf:87: syntax error /var/log/messages: pfctl: /etc/pf.conf:87: rule expands to a non-list element
He pulled up the man page on his laptop. pf.conf(5) . There it was, buried in the "Migration Notes" for 7.5: The from <list> syntax has been deprecated for non-route-related filter rules. Use an anchor or table for multiple source prefixes. Direct lists in a pass in rule will now raise a fatal syntax error. A fatal error. Not a warning. Not a "this might break." A stone-cold, refuse-to-start fatal error. He VPN’d in, his coffee cold before he’d even poured it
He never trusted -current again.
pfctl -sr | grep "api_sources"
Silence. Then the gentle tick of the rule counter. The firewall had been working fine
OpenBSD 7.5-current (GENERIC) #5
The rule was there. Clean. PF was running. CARP sync re-established. The pager fell silent.