2009/3/9 J.C. Roberts <list-...@designtools.org>: > On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga > <hilco.wijbe...@gmail.com> wrote: > >> 2009/3/9 J.C. Roberts <list-...@designtools.org>: >> > On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga >> > <hilco.wijbe...@gmail.com> wrote: >> > >> >> I have pf running on my firewall box and I'm experiencing some >> >> strange behaviour. After several hours (this may even be 24 hours) >> >> of functioning normally, pf seems to reload its default rules >> >> which means that from that point on all traffic is blocked. A >> >> simple "pfctl -f /etc/pf.conf" fixes the problem but it is very >> >> annoying. >> > >> > ummm... no. Think about it for a moment. The default rules *are* >> > stored in /etc/pf.conf --the very same file you are manually >> > reloading, so it's obviously not magically reloading the "default >> > rules" as you claim. >> >> Ah, different semantics. :-) By "default rules" I mean whatever pf >> does *without* an /etc/pf.conf. Probably something like "block all". >> > > :-) > >> > What kind of connection are you running? >> > Is your public IP address static or dynamic? >> > More importantly, are you running some sort of >> > tunneling/authentication such as PPPoE or simlar? >> >> I use DHCP so my IP can change. It's not particularly "public" though. >> My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part, >> I guess [no more running out of IPv4 addresses for them] but not very >> useful to me.) > > I doubt your ISP only has 254 customers, so they are most likely using > more than just the stated 192.168.1.0 - 192.168.1.255 range.
Let's hope so for them. :-) I always get an IP in that range, though. Well, so far anyway. > If you are doing your own NAT'ing for other machines on your private > LAN, the fact your ISP is assigning you an IP address from the private > address space could lead to a conflict. I had been wondering about that. I use 192.168.151.* internally. That should be okay then, shouldn't it? > The "smart" answer for an ISP is moving to IPv6 since it's the only > long term solution. Unfortunately, with less than 1% uptake on IPv6, it > doesn't get you much usability "right now" and network address > translation hacks are still required in some cases. We're talking about a very big ISP. Smart doesn't come into the picture. ;-) >> > In sort my first guess is your IP is changing every 24 hours or so >> > due to your service provider using dynamic addressing (and trying to >> > prevent you from having a particular IP for too long). If I'm right, >> > then your problem is that pf is holding on to the old rules for your >> > old IP address even though your IP had changed. In other words, you >> > have a configuration error. >> >> That definitely makes sense. However, I thought that by referring to >> an interface instead of an IP I was protected from that? I mean, it's >> fairly common to have a dynamic IP, is it not? >> > > It depends on *how* you refer to the interface in your rules. As > mentioned in the thread, you may have left off the needed parenthesis > around your interface variable. You would be neither the first nor last > to make this mistake. If you would post your pf.conf it would be very > helpful. ext_if = "sk0" int_if = "sk1" set skip on lo set block-policy return scrub in nat log on $ext_if from $int_if:network to any -> ($ext_if) block log pass out quick from $int_if to $int_if:network pass out quick from $ext_if to any #pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if) port { domain, ntp } pass in quick on $int_if from $int_if:network to any > p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply > was due to my mistaken off-list reply. :-) Yep. Cheers, Hilco