Created attachment 173767 [details] /etc/rc.d/pf: move routing to REQUIRE When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in /etc/pf.conf, these hostnames cannot be resolved via external nameservers because the default route is not yet set. This results in an empty (all open) ruleset. Fix: move routing from BEFORE to REQUIRE. Since r195026 already put netif back to REQUIRE, this change does not affect the issue that the firewall should rather have been setup _before_ any network traffic can occur. with kind regards, Robert Schulze
I'm ffected by this in 12.1-RELEASE-p10.
A commit references this bug: Author: kaktus Date: Thu Oct 8 11:45:11 UTC 2020 New revision: 366537 URL: https://svnweb.freebsd.org/changeset/base/366537 Log: [pf] /etc/rc.d/pf should REQUIRE routing When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in /etc/pf.conf, these hostnames cannot be resolved via external nameservers because the default route is not yet set. This results in an empty (all open) ruleset. Since r195026 already put netif back to REQUIRE, this change does not affect the issue that the firewall should rather have been setup before any network traffic can occur. PR: 211928 Submitted by: Robert Schulze Reported by: Robert Schulze Tested by: Mateusz Kwiatkowski No objections from: kp MFC after: 3 days Changes: head/libexec/rc/rc.d/pf
Still not merged into 12-STABLE. I'll try to get it merged.
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ca80dd4ed3845c0d783e772bf906911b4c23fdc3 commit ca80dd4ed3845c0d783e772bf906911b4c23fdc3 Author: Pawel Biernacki <kaktus@FreeBSD.org> AuthorDate: 2020-10-08 11:45:10 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2022-07-26 14:58:47 +0000 [pf] /etc/rc.d/pf should REQUIRE routing When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in /etc/pf.conf, these hostnames cannot be resolved via external nameservers because the default route is not yet set. This results in an empty (all open) ruleset. Since r195026 already put netif back to REQUIRE, this change does not affect the issue that the firewall should rather have been setup before any network traffic can occur. PR: 211928 Submitted by: Robert Schulze Reported by: Robert Schulze Tested by: Mateusz Kwiatkowski No objections from: kp MFC after: 3 days (cherry picked from commit 9ef917591248e35efea846d0d743b74503387099) Approved by: kp libexec/rc/rc.d/pf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
Merged, thanks!