[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf "lost" its rules, due to PPPoE address change?

To: "'OpenBSD'" <misc@openbsd.org>
Subject: Re: pf "lost" its rules, due to PPPoE address change?
From: Dirk Rösler <dirk@tkm.att.ne.jp>
Date: Fri, 7 Feb 2003 16:00:45 +0900

OK, thanks, that should do the job.

But why did it fail open without any rules whatsoever instead of just 
maintaining the old rules? Even though most of the redirects and most 
rules wouldn't have applied, at least "block in all" would have, no? 
Dammit, I wish I had done pfctl -s all to show the rest of the info.

Dirk

On Friday, Feb 7, 2003, at 12:17 Asia/Tokyo, Marco Peereboom wrote:

> Use () around your interfaces. See man pf.conf
>
> Excerpt:
>      Host name resolution and interface to address translation are done
> at
>      rule set load-time.  When the address of an interface (or host
> name)
>      changes (by DHCP or PPP, for instance), the rule set must be
> reloaded for
>      the change to be reflected in the kernel.  Interface names
> surrounded by
>      parentheses cause an automatic update of the rule whenever the
> referenced
>      interface changes its address.  Reloading the rule set is not
> required in
>      this case.
>
> /marco
>
>> -----Original Message-----
>> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]
>> On Behalf Of Dirk Rösler
>> Sent: Thursday, February 06, 2003 21:11
>> To: OpenBSD
>> Subject: pf "lost" its rules, due to PPPoE address change?
>>
>>
>> Hello list,
>>
>> I had a strange glitch occurring on reduced OpenBSD 3.2 (Chris'
>> flashdisk) running on a Soekris board used as a PPPoE router/firewall.
>>
>> I realised that the server behind it normally reachable via
>> rdr wasn't
>> accessible. When ssh'ing into the firewall I realised that no
>> pf rules
>> were loaded (pfctl -s rules = no output).
>>
>> Looking at my dyndns.org records I noticed that the IP address had
>> changed recently. Of course ppp.linkup contains a pfctl
>> reload command,
>> yet the rules weren't in. Nothing's in the logs either (pflog not
>> running BTW).
>>
>> It is probably related to the change of the IP address of the PPPoE
>> session, and it seems that ppp.linkup wasn't triggered at all (dyndns
>> update was done by a cron job it seems). Normally the
>> ppp.linkup stuff
>> gets always executed on a change of IP and a log entry is made, this
>> time it didn't.
>>
>> Any ideas how this can be prevented from happening (apart from
>> reloading pf rules via cron every 5 seconds)?
>>
>> Regards
>>
>> Dirk
>>
>>
>> # cat /etc/ppp/ppp.linkup
>> MYADDR:
>>    ! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
>>   !bg /bin/ez-ipupdate -c /etc/dyndns.conf
>>   !bg /usr/sbin/rdate -n ptbtime1.ptb.de
>>
>> cat /etc/ppp/ppp.conf
>> default:
>>   set log Phase Chat IPCP CCP tun command Warning Error Alert LQM
>>   set redial random
>>   set reconnect 10 10
>>
>> pppoe:
>>   set device "!/usr/sbin/pppoe -i sis0"
>>   disable acfcomp protocomp
>>   deny acfcomp
>>   set mtu max 1492
>>   set mru max 1492
>>   set speed sync
>>   enable lqr
>>   set lqrperiod 30
>>   set cd 5
>>   set dial
>>   set login
>>   set crtscts off
>>   set timeout 0
>>   set authname 234262466@eac.jpn
>>   set authkey jh756H7f
>>   add! default HISADDR
>>   enable mssfixup
>>   set server /var/run/internet "" 0177

References:
- Re: pf "lost" its rules, due to PPPoE address change?
  - From: "Marco Peereboom" <slash@peereboom.us>

Prev by Date: /etc/resolv.conf is being overwritten. why?
Next by Date: Re: /etc/resolv.conf is being overwritten. why?
Prev by thread: Re: pf "lost" its rules, due to PPPoE address change?
Next by thread: Re: pf "lost" its rules, due to PPPoE address change?
Index(es):
- Date
- Thread