From owner-freebsd-pf@FreeBSD.ORG Wed Jun 6 09:48:29 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 134E116A400 for ; Wed, 6 Jun 2007 09:48:29 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id A0C2E13C489 for ; Wed, 6 Jun 2007 09:48:28 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7dbe.q.ppp-pool.de [89.53.125.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id A2E7D12883F; Wed, 6 Jun 2007 11:48:21 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 3A97D3F9EA; Wed, 6 Jun 2007 11:47:32 +0200 (CEST) Message-ID: <466682B8.1010800@vwsoft.com> Date: Wed, 06 Jun 2007 11:47:36 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: David DeSimone References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> <20070605202918.GA14693@verio.net> <4665CAAA.6040506@vwsoft.com> <20070605234453.GB14693@verio.net> In-Reply-To: <20070605234453.GB14693@verio.net> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2007 09:48:29 -0000 David, On 06/06/07 01:44, David DeSimone wrote: > Volker wrote: >> pass in on bla0 from any to bla0 > >> which will all require pf to get the interface's IP address and all >> will fail if that interface does not yet exist... > > Ah, here you are correct, but the reasons are subtle: The above rule > will fail to load because "bla0" cannot be matched as an interface name, > therefore it will be looked up as a hostname, and if DNS/hosts cannot > resolve it to an IP, the ruleset will fail to load. Not because the > interface doesn't exist, but because the interface name gets confused > for a hostname. agreed. With my words, that interface does not exist, so pf can't get it's IP address but your writing is probably the better and technically correct (I didn't look for this specific detail in the sources whether pf really tries to resolve that as a hostname using a gethostbyname call). > If, instead, you use the dynamic form of the rule: > > pass in on bla0 from any to (bla0) > > This succeeds in loading. The rule will cause bla0 to be checked for > existence whenever the rule is matched, and the IP for the interface > will be looked up at rule-eval time, and it should do what is needed. > > Since the "on bla0" clause should fail to match as long as there is no > such interface, this should work fine. OK, I've forgotten to write about run time evaluation of rules. Probably I should stop spamming this list if not writing about every possibility. >> The case becomes more worst if the interface DOES exist but still has >> no IP address (read this as a big fat warning). When using a rule like > >> pass in on bla0 from any to bla0 > >> but the interface bla0 does not have an IP address, pf will parse this as >> 'pass in on bla0 from 0.0.0.0/0 to 0.0.0.0/0' > > Hmm, I am not able to demonstrate this. When I perform the above, I get > the following warning from pfctl (here using one of my existing IP-less > interfaces, dc1): > > no IP address found for dc1 > pf.conf:68: could not parse host specification > pfctl: Syntax error in config file: pf rules not loaded > > Nevertheless, a rule like "pass in on dc1 from any to dc1" would > certainly pass all traffic in, so it seems like even THAT is a wide-open > rule. Also, if dc1 has no IP, then it is not likely to be receiving > traffic (it will not answer ARP), so the "on dc1" clause is not likely > to match. > > You are correct that there are cases where the existence of an interface > can affect whether a ruleset will load. However, the use of dynamic IP > syntax (which seems a "best practice" in my mind, anyway) seems to avoid > this condition nicely, among the other benefits it provides. Also I've forgotten to write about altq. If an interface does not yet exist, pf fails to load rules when trying to use altq queueing. That will give a 'SIOCGIFMTU device not configured' error message. And using 'set loginterface ...' on not-yet existing interfaces will give an error. The cause of problems like these are manifold but all are caused by a not yet existing interface on load time. Some can surely cleanly be worked around. Sorry if not being totally technical correct and not checking with the sources in my postings sometimes and sorry for not writing about every possible cause of a problem every time. As a first shot, I'll most likely hit the most likely causes. Volker