Subject: Re: pf doesn't start normally anymore
To: Peter Postma <>
From: Adrian Portelli <>
List: tech-security
Date: 08/12/2005 11:57:39
Peter Postma wrote:

> I think that I know what's wrong. When /etc/rc.d/pf is executed, wm0
> doesn't have an IP address yet. So the rule parsing fails here:
> "from any to $ext_if", $ext_if should resolve to IP address(es) but wm0
> doesn't have an address so this fails. You'll probably see the message:
> "no IP address found for wm0".


I may be missing something here and I have not fully tested this yet but
could you just write ($ext_if) instead of $ext_if ?

So the new rule would look like this:

pass in on $ext_if inet proto tcp from any \
to ($ext_if) port 55000 >< 57000 user proxy \
flags S/SA keep state

Which sees the rule in full as:

@0 pass in on fxp0 inet proto tcp from any to (fxp0:*) port 55000 ><
57000 user = 1000 flags S/SA keep state

This is a hack for NAT and DHCP which causes pf to evaluate the IP
address on the fly as opposed to just at load time.  So, in theory, when
the network does come up and you do get an ip address on $if_ext pf
should notice this.  The above rule seems to parse OK for filtering.  I
just have not tried this in a live environment to see if it works.

Might be worth a try.