Date: Thu, 30 Apr 2015 11:20:32 +0200 From: Hans Ottevanger <hans@beastielabs.net> To: Doug Niven <dniven@ucsc.edu>, freebsd-questions@freebsd.org Subject: Re: PF not loading at boot time Message-ID: <5541F3E0.1070602@beastielabs.net> In-Reply-To: <7B5CA749-D7EF-4A2F-9FA0-E3ADF3E5ADDF@ucsc.edu> References: <7B5CA749-D7EF-4A2F-9FA0-E3ADF3E5ADDF@ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/30/15 05:35, Doug Niven wrote:
> I've got a PF anchor referenced in my /etc/pf.conf file here:
>
> table <goodguys> { 111.222.0.0/16, 222.222.0.0/16 }
> block in proto tcp from any to any port 22
> pass in on en0 proto tcp from <goodguys> to en0 port 22 flags S/SA keep state
>
> But while the /etc/pf.conf file loads fine manually, it does not load at boot, generating the following error in my log:
>
> no IP address found for en0
> /etc/pf.anchors/my-anchor:6: could not parse host specification
> pfctl: Syntax error in config file: pf rules not loaded
>
> I suspect this is because at the time PF loads at boot, en0 doesn't yet have an IP address or network state.
>
> Is there any other way I might be able to write this rule to avoid this problem?
>
Put parentheses around en0 in every place where an IP address is
expected. That will postpone the usage of the IP address of en0 until
the actual evaluation of the rule (when a packet is processed).
So in your case:
pass in on en0 proto tcp from <goodguys> to (en0) port 22 flags S/SA
keep state
> Thanks in advance,
>
> Doug
>
Kind regards,
Hans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5541F3E0.1070602>