On 2025-03-20, Kihaguru Gathura <kihagurugath...@gmail.com> wrote: > > Openbsd 7.6 upon restart, pf rules fail to load with error (no IP address > found for em0 /etc/pf.conf:26: could not parse host specification). > However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf" > manually after logging in gets the rules loaded successfully. Also > commenting out lines 25 and 26 gets the file loaded successfully on restart > confirming the error > > What are the potential scenario causing the line 26 (from 41.90.23.240 to > $ext_if port ssh modulate state) to present itself as syntax error during > restart?
> ext_if = "em0" ... > pass in on $ext_if proto tcp \ > from 41.90.23.240 to $ext_if port ssh modulate state $ext_if translates to "em0" "em0" in the context of a to/from address translates to "the address/es currently configured on em0" during boot, if pf rules are loaded before em0 gets an address, there are no addresses so the rule is invalid in this situation, with a dynamic address on an interface, you usually want to use parentheses "(em0)" so that the address is not looked up during ruleset load time, but is instead looked up every time the ruleset is evaluated for a new packet that doesn't match existing state -- Please keep replies on the mailing list.
