echo "table <api_sources> persist 10.88.12.0/24, 10.88.13.0/24 " >> /etc/pf.conf sed -i '87s/from .* /from <api_sources>/' /etc/pf.conf
It was clean. It had worked for eighteen months. He squinted. Then he saw it. The version banner from the last system upgrade, buried four scrolls up:
He VPN’d in, his coffee cold before he’d even poured it. The first command was ritual.
Line 87. Julian scrolled through the config. Line 87 was a routine pass in rule for a backend API subnet. pf configuration incompatible with pf program version
/var/log/messages: pfctl: /etc/pf.conf:87: syntax error /var/log/messages: pfctl: /etc/pf.conf:87: rule expands to a non-list element
The old PF (the one running on 7.4) had been lenient. It saw the curly braces, expanded the list in memory, and carried on. The new PF was a stricter grammarian. It saw the same syntax, declared it heresy, and refused to load any rules at all. Zero firewall. No state table. No blocking. No logging.
Then the prayer:
His stomach turned to ice. Current. Not -release . Not -stable . Someone—a junior with a cowboy hat and a cron job—had pointed their package repository to the bleeding-edge snapshots. And the new PF, the one in 7.5-current , had changed.
pass in on $ext_if inet proto tcp from 10.88.12.0/24, 10.88.13.0/24 to port 8080
He wrote his post-mortem at dawn. Title: "PF_CONFIG_VERSION vs. PF_PROGRAM_VERSION: A Case of Silent Deprecation." echo "table <api_sources> persist 10
Julian leaned back. The problem wasn't malice. It wasn't a hacker. It was a ghost in the machine: a mismatch between the intent of a config (written for a forgiving world) and the reality of a program (now pedantic, unforgiving).
Silence. Then the gentle tick of the rule counter.
The alert came in at 03:14, which meant the on-call pager was now a small, vibrating god of wrath on Julian’s nightstand. Then he saw it
Julian groaned, rubbing the sleep from his eyes. He was the senior NetOps engineer for a mid-sized cloud provider. Their edge was built on OpenBSD, chosen for the purity and rigor of its Packet Filter (PF). For seven years, it had been a silent, perfect stone wall. Until tonight.
But he knew the real story. The firewall had been working fine. Until the moment it wasn't. And the difference between those two moments was a single line in a changelog no one had read, and a list of IP addresses wrapped in the wrong kind of curly braces.