On Wed, Sep 07, 2016 at 01:14:45PM +0200, Sebastien Marie wrote:
> Hi,
>
> I upgraded my laptop (amd64) to latest snapshot, and I experiment odd network
> connectivity.
>
> in resume:
> - ping is ok (lan and internet)
> - udp is ok (lan and internet) - DNS is working
> - tcp isn't working (connect: no route to host) - tested with several tools:
> ssh(1), nc(1), or telnet(1)
> the problem is present for lan and internet addresses.
>
I finally found the root of the issue: a racy syntax error in my pf.conf
I used egress:network in a table in /etc/pf.conf.
Regarding the boot process:
- set really strict pf rules (grep RULES /etc/rc for detail)
outgoing ping is allowed
outgoing DNS is allowed
outgoing tcp for ssh or http is BLOCKED
...
(it explains my network situation)
- enable pf
- sh /etc/netstart
- pfctl -f /etc/pf.conf
I experimented a race for "egress:network" between netstart and pfctl.
Some times (not always), pfctl -f /etc/pf.conf exit with error:
no IP address found for egress:network
/etc/pf.conf:15 could not parse host specification
leaving the system with default rules (which aren't suitable for generic
use).
I am still unsure how the race occurs, if it is for "egress" interface
group, or for "egress:network" (addresses, not the group).
As "egress" is generally used in /etc/pf.conf, I dunno if latest commits
makes the race hitable more easily, or if it is something else.
Thanks.
--
Sebastien Marie
