pf has to be restarted before my network works

[wonslung]

Is there something wrong with my rules here?

For some reason pf works fine but only AFTER i do

/etc/rc.d/pf restart

here's my rule set

#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "em1"
int_if  = "em0"
wifi_if = "wlan0"
#protocol
icmp_types = "{ echoreq, unreach }"
#hosts
rtor = "192.168.1.18"
scp_j = "192.168.1.53"
Xbox360 = "192.168.1.22"
#ports
Xlive_tcp = "{ http, https, 3074 }"
Xlive_udp = "{ 88, 3074 }"
rtor_ports = "{http, https }"
#nets
lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set optimization conservative
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub out all random-id

#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
#nat on egress from $Xbox360       to any tag EGRESS -> ($ext_if:0) static-port
nat on egress from (self)         to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port $rtor_ports -> $rtor
rdr on $ext_if proto tcp from any to $ext_if port 50022 -> $scp_j port ssh
rdr on $ext_if proto tcp from any to $ext_if port 10000:10040 -> $rtor
rdr on $int_if proto tcp from $lan_net to $ext_if port $rtor_ports -> $rtor
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
no nat on $int_if proto tcp from $int_if to $lan_net
nat on $int_if proto tcp from $lan_net to $rtor port $rtor_ports -> $int_if 
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
pass out keep state
anchor "ftp-proxy/*"
block drop in log on $ext_if from $priv_nets to any
block drop out log on $ext_if from any to $priv_nets
# anti spoofing
antispoof for { $int_if, $wifi_if, $ext_if }

pass log proto tcp from any to $rtor port $rtor_ports synproxy state
pass log proto tcp from any to $scp_j port ssh synproxy state
pass log proto tcp from any to $rtor port 10000:10040 synproxy state
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state


pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state

pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state

 

[DutchDaemon]

Could it be that your WiFi is not yet active when pf starts the first time?

 

[dennylin93]

I seem to remember that someone posted a similar problem before. The default order of the rc scripts might have to be adjusted (start wpa_supplicant before pf?).

 

[wonslung]

ok...but shouldn't that only effect the wifi clients?

this is network wide.
(thanks though, i'll check on that)

 

[DutchDaemon]

I think pf is pretty picky when it comes to interfaces not being there, or not having an IP address yet. But you should see something in [cmd=]dmesg -a[/cmd], because pf usually spews out an error like 'interface does not exist' or something similar.

 

[wonslung]

Enabling pf
Nov 18 02:10:59 pflogd[442]: [priv]: msg PRIV_OPEN_LOG received
no IP address found for em1

looks like its my public ip that's not working....

This ip is DHCP....so...i need to make sure pf isn't brought up until after....what?
netif?

 

[DutchDaemon]

DHCP will be negotiated by /etc/rc.d/dhclient, which is way behind /etc/rc.d/pf in [cmd=]rcorder /etc/rc.d/*[/cmd].

 

[wonslung]

DHCP will be negotiated by /etc/rc.d/dhclient, which is way behind /etc/rc.d/pf in [cmd=]rcorder /etc/rc.d/*[/cmd].

ok...so what would you suggest i do?

edit:

actually, i think i found the problem:

rdr on $ext_if proto tcp from any to $ext_if port $rtor_ports -> $rtor
rdr on $ext_if proto tcp from any to $ext_if port 50022 -> $scp_j port ssh
rdr on $ext_if proto tcp from any to $ext_if port 10000:10040 -> $rtor
rdr on $int_if proto tcp from $lan_net to $ext_if port $rtor_ports -> $rtor

i think i need to change $ext_if to ($ext_if)


yes, this was the problem,

rdr on $ext_if proto tcp from any to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if proto tcp from any to ($ext_if) port 50022 -> $scp_j port ssh
rdr on $ext_if proto tcp from any to ($ext_if) port 10000:10040 -> $rtor
rdr on $int_if proto tcp from $lan_net to ($ext_if) port $rtor_ports -> $rtor

works

 

[DutchDaemon]

Sorry, yeah, I was actually busy trying to pull this one from memory. I knew there was a way to ignore the interface not having an IP address yet, but I was looking at pfctl/rc.conf flags for that -- to no avail, of course. But the () (polling option) does that, indeed.

 

[wonslung]

yah, if i had given you all the details from my logs i'm sure you would have told me with a quickness, i just didn't quite read down far enough to see.

When i finally DID, the logs were kind enough to give me the exact LINE in pf which was the problem, so from there, i was able to figure it out.

 

[p5ycho]

Problem caught me too after upgrading to Freebsd 8.0-RELEASE. Thanks guys.