Hi peter,
I've done a bit of homework. The machine is connected to a public static IP
via LTE modem on bridge mode.
To inform pf a bit more, I updated the pf.conf file with the following
lines:
pass in on em0 from 41.90.23.0/24 to 41.90.23.240
pass out on em0 from 41.90.23.240 to 41.90.23.0/24
This solves the problem but I insist on clamping down the machine to bare
minimum passes based on specific services required. Nothing more.
I am still looking for an alternative solution that does not involve adding
passes.
Thanks.
File Update: Pf.conf
# External interface
ext_if = "em0"
# Skip filtering on loopback interface
set skip on lo
# Scrub incoming packets for normalization
match in all scrub (no-df)
# Block all incoming connections by default
block all
# Activate spoofing protection for all interfaces
block in quick from urpf-failed
pass in on em0 from 41.90.23.0/24 to 41.90.23.240
pass out on em0 from 41.90.23.240 to 41.90.23.0/24
# Redirect HTTP traffic (servers only)
pass in on $ext_if inet proto tcp \
to port 80 divert-to 127.0.0.1 port 8080
# Redirect HTTPS traffic (servers only)
pass in on $ext_if inet proto tcp \
to port 443 divert-to 127.0.0.1 port 8443
# Allow SSH traffic from the development desktop
pass in on $ext_if proto tcp \
from 41.90.23.240 to $ext_if port ssh modulate state
On Thu, 20 Mar 2025, 11:30 Peter N. M. Hansteen, <pe...@bsdly.net> wrote:
> On Thu, Mar 20, 2025 at 10:23:12AM +0300, Kihaguru Gathura wrote:
>
> > Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address
> > found for em0 /etc/pf.conf:26: could not parse host specification).
> > However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf"
> > manually after logging in gets the rules loaded successfully. Also
> > commenting out lines 25 and 26 gets the file loaded successfully on
> restart
> > confirming the error
> >
> > What are the potential scenario causing the line 26 (from 41.90.23.240 to
> > $ext_if port ssh modulate state) to present itself as syntax error during
> > restart?
>
> The message you get indicates that the interface is not fully configured,
> that
> it does not (yet) have an IP address assigned.
>
> I would look in the direction of whatever it is that does the IP address
> assignment. Is there a problem with slow response from that network's
> DHCP service, for example?
>
> - Peter
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>
