Solved Load pf after dhcp on boot

ssbear

ssbear

Hi FreeBSD community!


Just a weird issue with pf, and I can't find an answer or a solution...

Here's my /etc/rc.conf:
Code: 
hostname="XXXXX"
keymap="fr.acc"
ifconfig_em0="DHCP"
sshd_enable="YES"
devmatch_enable="NO"
sendmail_enable="NONE"
ntpd_enable="YES"
smtpd_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf"

And here's my /etc/pf.conf:
Code: 
int_if = "lo0"
ext_if = "em0"
icmp_types = "{ echoreq unreach }"

table <ips-banned>          persist file "/var/log/ips-banned"
table <ips-work>            persist file "/etc/ips-work"
table <ips-ssh-violations>  persist file "/var/log/ips-ssh-violations"

set block-policy drop
set fingerprints "/etc/pf.os"

set skip on lo0
scrub in all

antispoof quick log for { lo0 $ext_if }

block in all
block out all

pass in quick proto { tcp, udp } from { <ips-work> } to any
pass out quick proto { tcp, udp } from $ext_if to any

block drop in quick from <ips-ssh-violations> to any
block in quick log proto icmp from <ips-banned>
block in quick log proto tcp from <ips-banned> to port { 22, 25 }

pass inet proto icmp icmp-type $icmp_types
pass in on $ext_if proto tcp from any to $ext_if port 22 \
        flags S/SA keep state ( max-src-conn 20, max-src-conn-rate 15/5, \
        overload <ips-banned> flush global)

After a reboot, pf is launched:
service pf status
Code: 
Status: Enabled for 0 days 00:07:19           Debug: Urgent

State Table                          Total             Rate
  current entries                        0             
  searches                            5103           11.6/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                               5103           11.6/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                             10            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

However, my tables are not loaded:
pfctl -T show -t ips-work
Code: 
pfctl: Table does not exist.

And, if I reload pf:
service pf reload
Code: 
Reloading pf rules

Now, my tables are loaded:
pfctl -T show -t ips-work
Code: 
XX.XX.XX.XX
XX.XX.XX.XX
XX.XX.XX.XX
XX.XX.XX.XX
XX.XX.XX.XX

Do you see an issue? Why should I reload pf after the boot? Why my tables are not loaded on boot?

Thanks a lot for your responses and advices.

Regards,

ssbear
 
Hum... here's a dmesg -a:
Code: 
Starting pflog.
pflog0: promiscuous mode enabled
Enabling pf2021-07-06T16:25:37.139308+02:00 XXX.XXX.TLD pflogd 489 - - [priv]: msg PRIV_OPEN_LOG received
no IP address found for em0
/etc/pf.conf:27: could not parse host specification
no IP address found for em0
/etc/pf.conf:35: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
Waiting 30s for the default route interface:
em0: link state changed to UP

So, it seems the issue is due pf is loaded before dhcp, right? Do you know a solution to avoid this, and lauch pf after?

Regards,

ssbear
 
Two solutions:

  1. Change ifconfig_em0="DHCP" to ifconfig_em0="SYNCDHCP". That will wait until the interface actually receives an IP address before continuing the boot process.
  2. change this rule:
    Code: 
    pass out quick proto { tcp, udp } from $ext_if to any
    to
    Code: 
    pass out quick proto { tcp, udp } from ($ext_if) to any
    The ($ext_if) will dynamically resolve the interface's IP address, which is useful with DHCP as the IP can change.
    Same with this line:
    Code: 
    pass in on $ext_if proto tcp from any to $ext_if port 22 \
 
You must log in or register to reply here.
Back
Top