pf nat woes

Richard Nyberg rnyberg at murmeldjur.se
Mon Sep 5 04:50:14 PDT 2016


The script will be a useful workaround. Many thanks!

Regards,
-Richard

On 5 September 2016 at 07:35, Matthew Dillon <dillon at backplane.com> wrote:
> I have this problem too, its likely a bug in our PF implementation.  What I
> do is have a little script which I start in the background (using the notty
> command) from /etc/rc.local which checks whether the DHCP assignment has
> changed on the interface and then reloads the PF rules if it has.
>
> To reload the rules:
>
> pfctl -d
> pfctl -F all
> pfctl -f /etc/pf.conf
> pfctl -e
>
> There are a few ways to detect whether the DHCP assignment has changed.  The
> easiest is for the script to save the output from the ifconfig command
> filtering for 'inet'.  e.g.  something like this:
>
> # set fubar1 to force initial reload
> #
> set fubar1 = "xx"
>
> while (1)
>     set fubar2 = `ifconfig igb0 | fgrep inet`
>     if ( "$fubar1" != "$fubar2" ) then
>         (reload PF rules here)
>     endif
>     sleep 10
>     set fubar1 = "$fubar2"
> end
>
> Obviously not the best solution but it works as a monitor.
>
> I think PF is supposed to pick-up changes automatically when an interface is
> specified like that, but our PF doesn't appear to.
>
> -Matt
>
> On Sun, Sep 4, 2016 at 2:33 AM, Richard Nyberg <rnyberg at murmeldjur.se>
> wrote:
>>
>> Hello users,
>>
>> I've set up a df4.6 box as an internet gateway and samba fileserver at
>> home. It gets it's external IP address via dhcp on re0. The problem is
>> that after this machine has booted, I need to run "rcrestart pf".
>> Otherwise the machines on the internal network can't access the
>> internet.
>>
>> Any thought on this? The servers rc.conf and pf.conf are below.
>>
>> ### pf.conf begin
>>
>> ext_if="re0"
>> int_if="em0"
>>
>> scrub in
>>
>> nat on $ext_if from $int_if:network -> ($ext_if)
>>
>> block in
>> pass out keep state
>>
>> pass quick on { lo $int_if }
>>
>> pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
>> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51403 keep state
>> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51413 keep state
>>
>> ### pf.conf end
>>
>> ### rc.conf begin
>>
>> powerd_enable="YES"
>> dntpd_enable="YES"
>> samba_enable="YES"
>> sshd_enable="YES"
>>
>> dbus_enable="YES"
>> avahi_daemon_enable="YES"
>>
>> dhcpd_enable="YES"
>> dhcpd_flags="-q"
>> dhcpd_conf="/usr/local/etc/dhcpd.conf"
>> dhcpd_ifaces="em0"
>> dhcpd_withumask="022"
>>
>> dumpdev="/dev/serno/S246J90Z339652.s1b"
>>
>> hostname="gorg.lan"
>>
>> ifconfig_re0="DHCP"
>> ifconfig_em0="inet 10.5.2.1 netmask 0xffffff00"
>>
>> gateway_enable="YES"
>> pf_enable="YES"
>>
>> ### rc.conf end
>>
>> Best regards,
>> -Richard
>
>


More information about the Users mailing list