PF hostname resolution bug with unbound_local

patpro

patpro

I run a FreeBSD 10.3-RELEASE-p14 server with a PF firewall. Few days ago I've activated the local unbound server for caching purposes.

My pf rules have been created few years ago and work well. They include some persistent table definitions with either IP addresses or hostname or both:

Code: 
table <admin_nets> persist { ... }
table <webspam> persist file "/etc/pf.liste_ip_webspam"
table <mysql_servers> persist { ... }
...


After setting local_unbound_enable to YES in rc.conf, I didn't notice immediately that pf could no longer parse pf.conf:

Code: 
# pfctl -f /etc/pf.conf
no IP address found for host.example.net
/etc/pf.conf:8: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded

Very weird.
My resolv.conf is:

Code: 
search example.net
nameserver 127.0.0.1
options edns0

And command line host resolution worked great (or in any other software in fact).
I've switched back to my previous DNS IPs:

Code: 
search example.net
nameserver IP1.FOR.MY.DNS
nameserver IP2.FOR.MY.DNS

And suddenly pfctl was happy again loading my original pf.conf file:

Code: 
# pfctl -f /etc/pf.conf 
(no error)


I think I've hit a bug, but I'm not certain. Any comment?
 
Not a bug, just an order issue. PF can't resolve the hostname because unbound isn't started yet. I suggest not using hostnames in the firewall rules.
 
Nope. I'm talking about a fully started OS, unbound is already running (if fact I never rebooted since I've activated the local unbound). As I wrote, host resolution works OK (curl, ping, host, dig…) but when trying to reload pf rules, pfctl fails if resolv.conf uses the local unbound.
 
Looking at the error again, the "no IP address found" appears to be a red herring. What's line 8 in /etc/pf.conf? Looks like there's a syntax error there.
 
Nope, no error, it works perfectly when unbound is not my resolver. As I wrote in my 1st post it's been working for years. Line 8 is a table like those shown as example, including IP addresses and domain name, like for example:

Code: 
table <ldapservers> persist { ldap.example.net 192.168.0.15 ldap2.example.net }

if unbound is my local resolver, host resolution works great everywhere except in pf.
pfctl fails to load pf.conf because it pretends beeing unable to resolve ldap.example.net.

if a change my resolv.conf to use external DNS (those used as forwarders in my unbound config), pfctl properly load the same pf.conf file.
 
You must log in or register to reply here.
Back
Top