pf nat woes

Matthew Dillon dillon at backplane.com
Sun Sep 4 22:35:33 PDT 2016


I have this problem too, its likely a bug in our PF implementation.  What I
do is have a little script which I start in the background (using the notty
command) from /etc/rc.local which checks whether the DHCP assignment has
changed on the interface and then reloads the PF rules if it has.

To reload the rules:

pfctl -d
pfctl -F all
pfctl -f /etc/pf.conf
pfctl -e

There are a few ways to detect whether the DHCP assignment has changed.
The easiest is for the script to save the output from the ifconfig command
filtering for 'inet'.  e.g.  something like this:

# set fubar1 to force initial reload
#
set fubar1 = "xx"

while (1)
    set fubar2 = `ifconfig igb0 | fgrep inet`
    if ( "$fubar1" != "$fubar2" ) then
        (reload PF rules here)
    endif
    sleep 10
    set fubar1 = "$fubar2"
end

Obviously not the best solution but it works as a monitor.

I think PF is supposed to pick-up changes automatically when an interface
is specified like that, but our PF doesn't appear to.

-Matt

On Sun, Sep 4, 2016 at 2:33 AM, Richard Nyberg <rnyberg at murmeldjur.se>
wrote:

> Hello users,
>
> I've set up a df4.6 box as an internet gateway and samba fileserver at
> home. It gets it's external IP address via dhcp on re0. The problem is
> that after this machine has booted, I need to run "rcrestart pf".
> Otherwise the machines on the internal network can't access the
> internet.
>
> Any thought on this? The servers rc.conf and pf.conf are below.
>
> ### pf.conf begin
>
> ext_if="re0"
> int_if="em0"
>
> scrub in
>
> nat on $ext_if from $int_if:network -> ($ext_if)
>
> block in
> pass out keep state
>
> pass quick on { lo $int_if }
>
> pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51403 keep state
> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51413 keep state
>
> ### pf.conf end
>
> ### rc.conf begin
>
> powerd_enable="YES"
> dntpd_enable="YES"
> samba_enable="YES"
> sshd_enable="YES"
>
> dbus_enable="YES"
> avahi_daemon_enable="YES"
>
> dhcpd_enable="YES"
> dhcpd_flags="-q"
> dhcpd_conf="/usr/local/etc/dhcpd.conf"
> dhcpd_ifaces="em0"
> dhcpd_withumask="022"
>
> dumpdev="/dev/serno/S246J90Z339652.s1b"
>
> hostname="gorg.lan"
>
> ifconfig_re0="DHCP"
> ifconfig_em0="inet 10.5.2.1 netmask 0xffffff00"
>
> gateway_enable="YES"
> pf_enable="YES"
>
> ### rc.conf end
>
> Best regards,
> -Richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20160904/5def015d/attachment-0002.html>


More information about the Users mailing list