fbsd 6.2 pf starts -- but not on boot

David DeSimone fox at verio.net
Tue Jun 5 23:44:56 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker <volker at vwsoft.com> wrote:
>
> pass in on bla0 from any to bla0
> 
> which will all require pf to get the interface's IP address and all
> will fail if that interface does not yet exist...

Ah, here you are correct, but the reasons are subtle:  The above rule
will fail to load because "bla0" cannot be matched as an interface name,
therefore it will be looked up as a hostname, and if DNS/hosts cannot
resolve it to an IP, the ruleset will fail to load.  Not because the
interface doesn't exist, but because the interface name gets confused
for a hostname.

If, instead, you use the dynamic form of the rule:

    pass in on bla0 from any to (bla0)

This succeeds in loading.  The rule will cause bla0 to be checked for
existence whenever the rule is matched, and the IP for the interface
will be looked up at rule-eval time, and it should do what is needed.

Since the "on bla0" clause should fail to match as long as there is no
such interface, this should work fine.

> The case becomes more worst if the interface DOES exist but still has
> no IP address (read this as a big fat warning). When using a rule like
> 
> pass in on bla0 from any to bla0
> 
> but the interface bla0 does not have an IP address, pf will parse this as
> 'pass in on bla0 from 0.0.0.0/0 to 0.0.0.0/0'

Hmm, I am not able to demonstrate this.  When I perform the above, I get
the following warning from pfctl (here using one of my existing IP-less
interfaces, dc1):

    no IP address found for dc1
    pf.conf:68: could not parse host specification
    pfctl: Syntax error in config file: pf rules not loaded

Nevertheless, a rule like "pass in on dc1 from any to dc1" would
certainly pass all traffic in, so it seems like even THAT is a wide-open
rule.  Also, if dc1 has no IP, then it is not likely to be receiving
traffic (it will not answer ARP), so the "on dc1" clause is not likely
to match.

You are correct that there are cases where the existence of an interface
can affect whether a ruleset will load.  However, the use of dynamic IP
syntax (which seems a "best practice" in my mind, anyway) seems to avoid
this condition nicely, among the other benefits it provides.

- -- 
David DeSimone == Network Admin == fox at verio.net
  "It took me fifteen years to discover that I had no
   talent for writing, but I couldn't give it up because
   by that time I was too famous.  -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFGZfV1FSrKRjX5eCoRAgkdAJ9xybGAe5RwWysSz6au5AjlrKiSmACcDBFU
sNmuQt8E10ErkeBDqpg0UBU=
=Qwnl
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list