2009/3/9 J.C. Roberts <list-...@designtools.org>:
> On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga
> <hilco.wijbe...@gmail.com> wrote:
>
>> 2009/3/9 J.C. Roberts <list-...@designtools.org>:
>> > On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
>> > <hilco.wijbe...@gmail.com> wrote:
>> >
>> >> I have pf running on my firewall box and I'm experiencing some
>> >> strange behaviour. After several hours (this may even be 24 hours)
>> >> of functioning normally, pf seems to reload its default rules
>> >> which means that from that point on all traffic is blocked. A
>> >> simple "pfctl -f /etc/pf.conf" fixes the problem but it is very
>> >> annoying.
>> >
>> > ummm... no. Think about it for a moment. The default rules *are*
>> > stored in /etc/pf.conf --the very same file you are manually
>> > reloading, so it's obviously not magically reloading the "default
>> > rules" as you claim.
>>
>> Ah, different semantics. :-) By "default rules" I mean whatever pf
>> does *without* an /etc/pf.conf. Probably something like "block all".
>>
>
> :-)
>
>> > What kind of connection are you running?
>> > Is your public IP address static or dynamic?
>> > More importantly, are you running some sort of
>> > tunneling/authentication such as PPPoE or simlar?
>>
>> I use DHCP so my IP can change. It's not particularly "public" though.
>> My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
>> I guess [no more running out of IPv4 addresses for them] but not very
>> useful to me.)
>
> I doubt your ISP only has 254 customers, so they are most likely using
> more than just the stated 192.168.1.0 - 192.168.1.255 range.
Let's hope so for them. :-) I always get an IP in that range, though.
Well, so far anyway.
> If you are doing your own NAT'ing for other machines on your private
> LAN, the fact your ISP is assigning you an IP address from the private
> address space could lead to a conflict.
I had been wondering about that. I use 192.168.151.* internally. That
should be okay then, shouldn't it?
> The "smart" answer for an ISP is moving to IPv6 since it's the only
> long term solution. Unfortunately, with less than 1% uptake on IPv6, it
> doesn't get you much usability "right now" and network address
> translation hacks are still required in some cases.
We're talking about a very big ISP. Smart doesn't come into the picture. ;-)
>> > In sort my first guess is your IP is changing every 24 hours or so
>> > due to your service provider using dynamic addressing (and trying to
>> > prevent you from having a particular IP for too long). If I'm right,
>> > then your problem is that pf is holding on to the old rules for your
>> > old IP address even though your IP had changed. In other words, you
>> > have a configuration error.
>>
>> That definitely makes sense. However, I thought that by referring to
>> an interface instead of an IP I was protected from that? I mean, it's
>> fairly common to have a dynamic IP, is it not?
>>
>
> It depends on *how* you refer to the interface in your rules. As
> mentioned in the thread, you may have left off the needed parenthesis
> around your interface variable. You would be neither the first nor last
> to make this mistake. If you would post your pf.conf it would be very
> helpful.
ext_if = "sk0"
int_if = "sk1"
set skip on lo
set block-policy return
scrub in
nat log on $ext_if from $int_if:network to any -> ($ext_if)
block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
#pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if)
port { domain, ntp }
pass in quick on $int_if from $int_if:network to any
> p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply
> was due to my mistaken off-list reply.
:-) Yep.
Cheers,
Hilco
