Subject: Re: pf doesn't start normally anymore
To: Greg Troxel <email@example.com>
From: Mipam <firstname.lastname@example.org>
Date: 08/11/2005 23:18:05
On Thu, 11 Aug 2005, Greg Troxel wrote:
> Peter Postma <email@example.com> writes:
> > I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
> > doesn't have an IP address yet. So the rule parsing fails here:
> > "from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
> > doesn't have an address so this fails. You'll probably see the message:
> > "no IP address found for wm0".
> I have found (with ipfilter) that I wished I could write rules that
> talk about not only in and out, but 'up' and 'down', so that I could
> separate protecting the host from the router portion of the firewall.
> The lack of this has led me to write rules that block packets to 'my'
> addresses, which require addresses to be present.
> There is also compiling default block into the kernel. I suppose
> startup scripts could install a block all, bring up networks, and then
> install the real ruleset.
I also liked the default block idea in ipf very much and always compiled
kernel with the default block. Thing is, that if you got a firewall remote
with that block compiled AND a typo in the ruleset by accident, you won't
be able to reach it anymore. So, yeah i like it much, the default block,
but sometimes i did run into trouble because because of a typo or mistake
the best remote admin tool was "the car". :-)
"What is the best remote admin tool for Windows Not Today"?
Answer: "a car". :-)
Anyway, forgive me.