Date: Mon, 2 Jul 2018 16:44:32 +0200 From: "Felix J. Ogris" <fjo-lists@ogris.de> To: freebsd-pf@freebsd.org Subject: pf reload/resync and skipped interface groups on 11.2-RELEASE Message-ID: <51A8A900-32B4-47A0-99D9-F02B31D2C735@ogris.de>
next in thread | raw e-mail | index | archive | help
Hi, this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule set. After the first reload/resync, any traffic on an interface that is skipped via an interface group statement in pf.conf is rejected: root@fbsd:~ # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.038 ms ^C --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.038/0.038/0.038/0.000 ms root@fbsd:~ # service pf reload Reloading pf rules. root@fbsd:~ # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ^C --- 127.0.0.1 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss A second reload restores the expected behaviour: root@fbsd:~ # service pf reload Reloading pf rules. root@fbsd:~ # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.021 ms ^C --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.021/0.021/0.021/0.000 ms My /etc/pf.conf: root@fbsd:~ # cat /etc/pf.conf set skip on lo block pass in inet proto tcp to port 22 Active rule set in either case: root@fbsd:~ # pfctl -s rules block drop all pass in inet proto tcp from any to any port = ssh flags S/SA keep state If i change “set skip on lo” to “set skip on lo0” in /etc/pf.conf, reload behaves fine. /etc/rc.d/ppp does a “/etc/rc.d/pf quietresync” in its poststart() routine. BR, Felix
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A8A900-32B4-47A0-99D9-F02B31D2C735>