From owner-freebsd-questions@FreeBSD.ORG  Thu Apr 30 09:20:39 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2C08BE2B
 for <freebsd-questions@freebsd.org>; Thu, 30 Apr 2015 09:20:39 +0000 (UTC)
Received: from testsoekris.hotsoft.nl (unknown
 [IPv6:2001:888:1227:0:200:24ff:fec9:5934])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DD6051886
 for <freebsd-questions@freebsd.org>; Thu, 30 Apr 2015 09:20:38 +0000 (UTC)
Received: from beastie.hotsoft.nl (beastie.hotsoft.nl
 [IPv6:2001:888:1227:0:219:d1ff:fee8:91eb])
 by testsoekris.hotsoft.nl (8.14.7/8.14.7) with ESMTP id t3U9KW6N008166;
 Thu, 30 Apr 2015 11:20:32 +0200 (CEST)
 (envelope-from hans@beastielabs.net)
Message-ID: <5541F3E0.1070602@beastielabs.net>
Date: Thu, 30 Apr 2015 11:20:32 +0200
From: Hans Ottevanger <hans@beastielabs.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Doug Niven <dniven@ucsc.edu>, freebsd-questions@freebsd.org
Subject: Re: PF not loading at boot time
References: <7B5CA749-D7EF-4A2F-9FA0-E3ADF3E5ADDF@ucsc.edu>
In-Reply-To: <7B5CA749-D7EF-4A2F-9FA0-E3ADF3E5ADDF@ucsc.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2015 09:20:39 -0000

On 04/30/15 05:35, Doug Niven wrote:
> I've got a PF anchor referenced in my /etc/pf.conf file here:
>
>      table <goodguys> { 111.222.0.0/16, 222.222.0.0/16 }
>      block in proto tcp from any to any port 22
>      pass in on en0 proto tcp from <goodguys> to en0 port 22 flags S/SA keep state
>
> But while the /etc/pf.conf file loads fine manually, it does not load at boot, generating the following error in my log:
>
>      no IP address found for en0
>      /etc/pf.anchors/my-anchor:6: could not parse host specification
>      pfctl: Syntax error in config file: pf rules not loaded
>
> I suspect this is because at the time PF loads at boot, en0 doesn't yet have an IP address or network state.
>
> Is there any other way I might be able to write this rule to avoid this problem?
>

Put parentheses around en0 in every place where an IP address is 
expected. That will postpone the usage of the IP address of en0 until 
the actual evaluation of the rule (when a packet is processed).

So in your case:

pass in on en0 proto tcp from <goodguys> to (en0) port 22 flags S/SA 
keep state

> Thanks in advance,
>
> Doug
>

Kind regards,

Hans