Subject: Re: pf doesn't start normally anymore
To: None <tech-security@NetBSD.org>
From: Peter Postma <firstname.lastname@example.org>
Date: 08/12/2005 13:06:48
On Fri, Aug 12, 2005 at 11:57:39AM +0100, Adrian Portelli wrote:
> Peter Postma wrote:
> > I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
> > doesn't have an IP address yet. So the rule parsing fails here:
> > "from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
> > doesn't have an address so this fails. You'll probably see the message:
> > "no IP address found for wm0".
> I may be missing something here and I have not fully tested this yet but
> could you just write ($ext_if) instead of $ext_if ?
> So the new rule would look like this:
> pass in on $ext_if inet proto tcp from any \
> to ($ext_if) port 55000 >< 57000 user proxy \
> flags S/SA keep state
> Which sees the rule in full as:
> @0 pass in on fxp0 inet proto tcp from any to (fxp0:*) port 55000 ><
> 57000 user = 1000 flags S/SA keep state
> This is a hack for NAT and DHCP which causes pf to evaluate the IP
> address on the fly as opposed to just at load time. So, in theory, when
> the network does come up and you do get an ip address on $if_ext pf
> should notice this. The above rule seems to parse OK for filtering. I
> just have not tried this in a live environment to see if it works.
I agree that this would be better here, but it should also work without
the parentheses, i.e. if you use static ips.