pf nat woes

Matthew Dillon dillon at backplane.com
Mon Sep 5 09:20:39 PDT 2016 

20-60 second retry is probably better than 10.  Also when you start the
script in /etc/rc.local you can run it at nice +20 or something so it isn't
given cpu priority.  And you can get a lot more sophisticated too, retrying
more often just after the script starts and less often afterwords.

-Matt

On Mon, Sep 5, 2016 at 4:50 AM, Richard Nyberg <rnyberg at murmeldjur.se>
wrote:

> The script will be a useful workaround. Many thanks!
>
> Regards,
> -Richard
>
> On 5 September 2016 at 07:35, Matthew Dillon <dillon at backplane.com> wrote:
> > I have this problem too, its likely a bug in our PF implementation.
> What I
> > do is have a little script which I start in the background (using the
> notty
> > command) from /etc/rc.local which checks whether the DHCP assignment has
> > changed on the interface and then reloads the PF rules if it has.
> >
> > To reload the rules:
> >
> > pfctl -d
> > pfctl -F all
> > pfctl -f /etc/pf.conf
> > pfctl -e
> >
> > There are a few ways to detect whether the DHCP assignment has changed.
> The
> > easiest is for the script to save the output from the ifconfig command
> > filtering for 'inet'.  e.g.  something like this:
> >
> > # set fubar1 to force initial reload
> > #
> > set fubar1 = "xx"
> >
> > while (1)
> >     set fubar2 = `ifconfig igb0 | fgrep inet`
> >     if ( "$fubar1" != "$fubar2" ) then
> >         (reload PF rules here)
> >     endif
> >     sleep 10
> >     set fubar1 = "$fubar2"
> > end
> >
> > Obviously not the best solution but it works as a monitor.
> >
> > I think PF is supposed to pick-up changes automatically when an
> interface is
> > specified like that, but our PF doesn't appear to.
> >
> > -Matt
> >
> > On Sun, Sep 4, 2016 at 2:33 AM, Richard Nyberg <rnyberg at murmeldjur.se>
> > wrote:
> >>
> >> Hello users,
> >>
> >> I've set up a df4.6 box as an internet gateway and samba fileserver at
> >> home. It gets it's external IP address via dhcp on re0. The problem is
> >> that after this machine has booted, I need to run "rcrestart pf".
> >> Otherwise the machines on the internal network can't access the
> >> internet.
> >>
> >> Any thought on this? The servers rc.conf and pf.conf are below.
> >>
> >> ### pf.conf begin
> >>
> >> ext_if="re0"
> >> int_if="em0"
> >>
> >> scrub in
> >>
> >> nat on $ext_if from $int_if:network -> ($ext_if)
> >>
> >> block in
> >> pass out keep state
> >>
> >> pass quick on { lo $int_if }
> >>
> >> pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
> >> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51403 keep state
> >> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51413 keep state
> >>
> >> ### pf.conf end
> >>
> >> ### rc.conf begin
> >>
> >> powerd_enable="YES"
> >> dntpd_enable="YES"
> >> samba_enable="YES"
> >> sshd_enable="YES"
> >>
> >> dbus_enable="YES"
> >> avahi_daemon_enable="YES"
> >>
> >> dhcpd_enable="YES"
> >> dhcpd_flags="-q"
> >> dhcpd_conf="/usr/local/etc/dhcpd.conf"
> >> dhcpd_ifaces="em0"
> >> dhcpd_withumask="022"
> >>
> >> dumpdev="/dev/serno/S246J90Z339652.s1b"
> >>
> >> hostname="gorg.lan"
> >>
> >> ifconfig_re0="DHCP"
> >> ifconfig_em0="inet 10.5.2.1 netmask 0xffffff00"
> >>
> >> gateway_enable="YES"
> >> pf_enable="YES"
> >>
> >> ### rc.conf end
> >>
> >> Best regards,
> >> -Richard
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20160905/6d2c7b0b/attachment-0001.htm>

More information about the Users mailing list