PF rules not loading
Henrik Hudson
lists at rhavenn.net
Fri Sep 4 20:52:22 UTC 2009
On Fri, 04 Sep 2009, Henrik Hudson wrote:
> On Fri, 04 Sep 2009, Collin Kreklow wrote:
>
> > On Fri, Sep 04, 2009 at 08:59:30AM -0800, Henrik Hudson wrote:
> > > Hey List,
> > >
> > > I just finishing supping to 8-BETA3 and after a reboot I noticed
> > > that my PF rules weren't loading and hence NAT wasn't working for
> > > internal clients, not to mention no firewall :)
> > >
> > > This might not be specific to BETA3, but it's the first time I
> > > noticed it concretely. I did have a power outage last week where
> > > after a poweron I had to run pfctl -f /etc/pf.conf to get NAT working
> > > again. This was under BETA2.
> >
> > At the time when the pf script runs during boot, all the network
> > interfaces may not be fully configured. It is likely that your pf.conf
> > includes rules that pf can't calculate because one or more network
> > interfaces are not yet configured. I had to change my pf.conf to
> > hard-code the IP ranges instead of using :network to get my rules to
> > load on boot. Also make sure your script is using (xl0) where
> > appropriate.
>
> It's possible. However, I'm pretty sure the ruleset worked correctly
> on the initial install and it's a ruleset I've used on plenty of
> different gateway servers with a similar hardware setup.
>
> However, I did just finish building another 8-BETA3 x64 box and it
> works fine, so maybe something fluky is going on with the server
> crash due to the power outage.
>
> I will investiage further. Thanks.
*ding* *ding* we have a winner. I had added a rule which required a
DNS lookup for port forwarding in torrent traffic to an internal
host.
Thanks.
Henrik
--
Henrik Hudson
lists at rhavenn.net
-----------------------------------------
"God, root, what is difference?" Pitr; UF
More information about the freebsd-current
mailing list