On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga <[email protected]> wrote:
> 2009/3/9 J.C. Roberts <[email protected]>: > > On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga > > <[email protected]> wrote: > > > >> I have pf running on my firewall box and I'm experiencing some > >> strange behaviour. After several hours (this may even be 24 hours) > >> of functioning normally, pf seems to reload its default rules > >> which means that from that point on all traffic is blocked. A > >> simple "pfctl -f /etc/pf.conf" fixes the problem but it is very > >> annoying. > > > > ummm... no. Think about it for a moment. The default rules *are* > > stored in /etc/pf.conf --the very same file you are manually > > reloading, so it's obviously not magically reloading the "default > > rules" as you claim. > > Ah, different semantics. :-) By "default rules" I mean whatever pf > does *without* an /etc/pf.conf. Probably something like "block all". > :-) > > What kind of connection are you running? > > Is your public IP address static or dynamic? > > More importantly, are you running some sort of > > tunneling/authentication such as PPPoE or simlar? > > I use DHCP so my IP can change. It's not particularly "public" though. > My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part, > I guess [no more running out of IPv4 addresses for them] but not very > useful to me.) > I doubt your ISP only has 254 customers, so they are most likely using more than just the stated 192.168.1.0 - 192.168.1.255 range. If you are doing your own NAT'ing for other machines on your private LAN, the fact your ISP is assigning you an IP address from the private address space could lead to a conflict. The "smart" answer for an ISP is moving to IPv6 since it's the only long term solution. Unfortunately, with less than 1% uptake on IPv6, it doesn't get you much usability "right now" and network address translation hacks are still required in some cases. > > In sort my first guess is your IP is changing every 24 hours or so > > due to your service provider using dynamic addressing (and trying to > > prevent you from having a particular IP for too long). If I'm right, > > then your problem is that pf is holding on to the old rules for your > > old IP address even though your IP had changed. In other words, you > > have a configuration error. > > That definitely makes sense. However, I thought that by referring to > an interface instead of an IP I was protected from that? I mean, it's > fairly common to have a dynamic IP, is it not? > It depends on *how* you refer to the interface in your rules. As mentioned in the thread, you may have left off the needed parenthesis around your interface variable. You would be neither the first nor last to make this mistake. If you would post your pf.conf it would be very helpful. p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply was due to my mistaken off-list reply. -- J.C. Roberts
