On 6/4/07, Volker <[EMAIL PROTECTED]> wrote:
without seeing your pf.conf ruleset,

happy to send/post if required/helpful ...

I guess you're using a ppp
connection to your upstream provider and firewalling on the tunX
interface (using tun0 as $ext_if).

you're absolutely correct here.

As FreeBSD boots up, this interface does not yet exist when pf is
loaded.

clear.

As soon as ppp is loaded and interface tun0 has been created,
pf will happily load your ruleset.

aha. does that suggest that i'm simply not waiting long enough?  your
following comments suggest otherwise, iiuc, that i need to proactively
_do_ something different ...

The solution is to either have pf rules loaded late (later than ppp is
started)

clearly, simply including pf-related items in rc.conf after
pppoe-related items is not sufficient.

i'll take a look at "rcorder" ... which i wasn't aware of at all.  thanks!

or use anchors and load ext rules into the anchor when the
ppp interface is up.

i hadn't thought of using anchors in this fashion.

i'm off to google, but any good examples you can reference?

The easier is to have the rules loading late
(check using rcorder) but this may also fail if something goes wrong
with ppp.

i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring,

cat /etc/ppp/ppp.linkup
        ------------------------------------
        ppp1:
                ! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf"
                !bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >> 
/etc/ppp/log"
        ------------------------------------

cat /etc/ppp/ppp.linkdown
        ------------------------------------
        ppp1:
                !bg route delete HISADDR ppp1
                !bg pfctl -F all -d
        ------------------------------------

cat /etc/ppp/ppp.conf
        ------------------------------------
        default:
                set device PPPoE:sis1:
                set speed sync
                set ctsrts off
                set dial
                set login
                set cd 10
                set timeout 0
                set redial 0 0
                enable lqr
                set lqrperiod 20
                set log Phase tun command
        
                add default HISADDR
                enable tcpmssfixup
                disable dns
        
        ppp1:
                set authname [EMAIL PROTECTED]
                set authkey  ############
                set MRU 1492
                set MTU 1492
        ------------------------------------

are these NOT supposed to address/solve the problem? or are the configs wrong?

Mikhail Goriachev <[EMAIL PROTECTED]>
Just a shot in the dark. You are probably putting hostnames in your
pf.conf instead of IPs. PF starts before Bind. So it can't resolve
hostnames in the rules and hence doesn't start.

heh.  a good call, but, i'd already made THAT mistake a month or so ago. ;-)

thanks though!
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to