PF hostname resolution bug with unbound_local

patpro

Active Member

Reaction score: 10
Messages: 182

I run a FreeBSD 10.3-RELEASE-p14 server with a PF firewall. Few days ago I've activated the local unbound server for caching purposes.

My pf rules have been created few years ago and work well. They include some persistent table definitions with either IP addresses or hostname or both:

Code:
table <admin_nets> persist { ... }
table <webspam> persist file "/etc/pf.liste_ip_webspam"
table <mysql_servers> persist { ... }
...

After setting local_unbound_enable to YES in rc.conf, I didn't notice immediately that pf could no longer parse pf.conf:

Code:
# pfctl -f /etc/pf.conf
no IP address found for host.example.net
/etc/pf.conf:8: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
Very weird.
My resolv.conf is:

Code:
search example.net
nameserver 127.0.0.1
options edns0
And command line host resolution worked great (or in any other software in fact).
I've switched back to my previous DNS IPs:

Code:
search example.net
nameserver IP1.FOR.MY.DNS
nameserver IP2.FOR.MY.DNS
And suddenly pfctl was happy again loading my original pf.conf file:

Code:
# pfctl -f /etc/pf.conf 
(no error)

I think I've hit a bug, but I'm not certain. Any comment?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,690
Messages: 30,628

Not a bug, just an order issue. PF can't resolve the hostname because unbound isn't started yet. I suggest not using hostnames in the firewall rules.
 
OP
OP
patpro

patpro

Active Member

Reaction score: 10
Messages: 182

Nope. I'm talking about a fully started OS, unbound is already running (if fact I never rebooted since I've activated the local unbound). As I wrote, host resolution works OK (curl, ping, host, dig…) but when trying to reload pf rules, pfctl fails if resolv.conf uses the local unbound.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,690
Messages: 30,628

Looking at the error again, the "no IP address found" appears to be a red herring. What's line 8 in /etc/pf.conf? Looks like there's a syntax error there.
 
OP
OP
patpro

patpro

Active Member

Reaction score: 10
Messages: 182

Nope, no error, it works perfectly when unbound is not my resolver. As I wrote in my 1st post it's been working for years. Line 8 is a table like those shown as example, including IP addresses and domain name, like for example:

Code:
table <ldapservers> persist { ldap.example.net 192.168.0.15 ldap2.example.net }
if unbound is my local resolver, host resolution works great everywhere except in pf.
pfctl fails to load pf.conf because it pretends beeing unable to resolve ldap.example.net.

if a change my resolv.conf to use external DNS (those used as forwarders in my unbound config), pfctl properly load the same pf.conf file.
 
Top