|
|||
Interesting pf.conf observation
LAN = "em1"
In my pf.conf file I had $LAN:NETWORK in one of my rule sets and when I reloaded the rules using pfctl -f /etc/pf.conf the rules reload without an error. Although after I rebooted my router pf.conf fails to load the rules and indicates there is an error with NETWORK in pf.conf on startup. Obvious issue here is that LAN:NETWORK should be $LAN:network. I find it strange that pfctl will reload the rules but after a reboot I get an error. Shouldn't pfctl produce and error when I reload the rules? Is this something that needs to be addressed with the developers? Just curious. Last edited by bsdsource; 28th October 2018 at 10:07 PM. |
|
|||
Yes I know. I just figured it would show a syntax error instead of making it seem like the rules reloaded without an issue. I wasn't aware there was an issue with my pf.conf until I rebooted OpenBSD then it showed an error at ruleset load-time.
|
|
||||
The ruleset load at boot time is performed by rc(8) with pfctl. There are two phases:
Because there is no difference in function from rc()'s load of the ruleset and your manual execution of pfctl, I will guess that there was a failure to load by rc(), and the temporary ruleset was left in place. Of course, it's only a guess. |
|
|||
Where is the temporary ruleset located in the event that the admin's ruleset is not loaded?
Edit: I looked at the source code for rc and found the following code. I'm guessing this is what you are referring to. Code:
# Set initial temporary pf rule set. if [[ $pf != NO ]]; then RULES=" block all pass on lo0 pass in proto tcp from any to any port ssh keep state pass out proto { tcp, udp } from any to any port domain keep state pass out inet proto icmp all icmp-type echoreq keep state pass out inet proto udp from any port bootpc to any port bootps pass in inet proto udp from any port bootps to any port bootpc" if ifconfig lo0 inet6 >/dev/null 2>&1; then RULES="$RULES pass out inet6 proto icmp6 all icmp6-type neighbrsol pass in inet6 proto icmp6 all icmp6-type neighbradv pass out inet6 proto icmp6 all icmp6-type routersol pass in inet6 proto icmp6 all icmp6-type routeradv pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client" fi RULES="$RULES pass in proto carp keep state (no-sync) pass out proto carp !received-on any keep state (no-sync)" if (($(sysctl -n vfs.mounts.nfs 2>/dev/null) > 0)); then # Don't kill NFS. RULES="set reassemble yes no-df $RULES pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" fi print -- "$RULES" | pfctl -f - pfctl -e fi Last edited by bsdsource; 29th October 2018 at 05:07 PM. |
|
||||
Yes, that's it.
If my guess was wrong, and you are able to recreate the problem, it may be worth reporting. https://www.openbsd.org/report.html |
|
|||
Thanks for the feedback jggimi. Just FYI I tested it again with the same results. When I manually reload the rules using pfctl -f /etc/pf.conf I get no syntax error. I still find this to be strange.
When I reboot OpenBSD I get the error below on startup. Code:
no IP address found for em1:NETWORK /etc/pf.conf:46: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Any interesting snippets? | Mike-Sanders | Programming | 6 | 29th October 2016 12:43 PM |
NixOS - an interesting Linux distro. | TerryP | Off-Topic | 2 | 21st February 2011 07:44 PM |
Interesting disscussion on: Solaris vs HP-UX vs AIX | vermaden | Other BSD and UNIX/UNIX-like | 2 | 19th May 2010 09:33 AM |
Other Interesting "Security" Issue on GRUB 2 | vermaden | News | 2 | 10th November 2009 01:19 PM |
An interesting benchmark (kqueue vs. epoll) | mdh | Programming | 0 | 9th October 2008 09:49 PM |