Subject: Re: pf doesn't start normally anymore
To: Peter Postma <>
From: Mipam <>
List: tech-security
Date: 08/11/2005 23:31:58
Thanks for the patch, it works fine now.
First dhclient is running etc and pf run's at once without problems like
before, so you're right, the problem was using $ext_if where it refers to 
wm0 in my case. Security there is a very small window indeed, but then 
you'd require everybody to posses static ip's and asume everybody who uses 
dhcp to obtain an ip and already behind a protected firewall. 
Unfortunatly, with xDSL etc this aint always the case. This patch is a 
trade off i guess between the previous pf script and the strict one 
now. When using ipf, i use a script to obtain the ip and parse it in 
the ruleset using perl or sed and then load ipf. To get the working 
with the rc.d ipf script i used bogus ip's to get ipf running before 
networking and replace the bogus ip's as described before with the ip 
obtained from dhcp and then load ipf rules again. Bye,


On Thu, 11 Aug 2005, Peter Postma wrote:

> On Thu, Aug 11, 2005 at 06:41:23PM +0200, Mipam wrote:
> > Hi Peter,
> > 
> > Thanks for your reply.
> > Here is my ruleset, very simple one btw. :-)
> > I hope you'll find what might be the problem.
> I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
> doesn't have an IP address yet. So the rule parsing fails here:
> "from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
> doesn't have an address so this fails. You'll probably see the message:
> "no IP address found for wm0".
> So, we should start pf after the network is up, then everything should
> be fine. Please try the attached patch.
> -- 
> Peter Postma