Re: 8.2-RELEASE pf rules not loading

Fri, 25 Feb 2011 18:49:23 -0800 


On Fri, 25 Feb 2011 17:31, freebsd@ wrote:

On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote:

On 25/02/2011 17:35, Josh Carroll wrote:

Hi All,
           Just upgraded my home machine to 8.2-RELEASE via
freebsd-update remotely (spare time at work.) and on reboot my pf
ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
does start it fine though. Any suggestions on debugging or shall i just
try a verbose boot and watch the console when I get home?
I still have

pf_enable="YES"                  # Set to YES to enable packet filter (pf)
pflog_enable="YES"               # Set to YES to enable packet filter
logging

in /etc/rc.conf

Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:

ifconfig_<ifacename>="DHCP"

to

ifconfig_<ifacename>="SYNCDHCP"

It's possible the network hasn't come up properly yet or there is no
IP assigned.

Failing that, you can set:

rc_debug="YES"

in rc.conf then watch at boot time if there are any odd messages when
it attempts to start pf.


It turns out that its sort of related to this. I have an IPv6 tunnel
from H.E. (tunnelbroker.net) and from looking at the boot output, it
looks like the IPv6 addresses (for any of my imterfaces) aren't applied
until after pf starts. I'd say this is a bug, Oddly this didnt happen
for the release candidate I tried, although I think I may have modified
my rules and not rebooted until I upgraded.
the rules in question are:

pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
keep state
and
pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
$sf_tcp
(ext_if = "ue0")

I'll try changing $ext_if to the ipv6 address and see if that helps.


Please look at pf.conf(5) and search for the word "parentheses" (should
be under the "from x to x" section.  This might resolve your problem.
Adding to this and as someone else has already advised in a different way is to use synchronous_dhclient="YES" in rc.conf(5) will most likely result in your rules loading properly. 


--

 jhell

_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to