Subject: Re: pf doesn't start normally anymore
To: Mipam <>
From: Peter Postma <>
List: tech-security
Date: 08/11/2005 19:07:10
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Aug 11, 2005 at 06:41:23PM +0200, Mipam wrote:
> Hi Peter,
> Thanks for your reply.
> Here is my ruleset, very simple one btw. :-)
> I hope you'll find what might be the problem.

I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
doesn't have an IP address yet. So the rule parsing fails here:
"from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
doesn't have an address so this fails. You'll probably see the message:
"no IP address found for wm0".

So, we should start pf after the network is up, then everything should
be fine. Please try the attached patch.

Peter Postma

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diff

Index: pf
RCS file: /cvsroot/src/etc/rc.d/pf,v
retrieving revision 1.5
diff -u -u -r1.5 pf
--- pf	10 Aug 2005 13:52:05 -0000	1.5
+++ pf	11 Aug 2005 17:05:26 -0000
@@ -4,8 +4,8 @@
 # PROVIDE: pf
-# REQUIRE: root beforenetlkm mountcritlocal tty
-# BEFORE: network
+# REQUIRE: root beforenetlkm mountcritlocal tty network dhclient
 $_rc_subr_loaded . /etc/rc.subr