New pf install on Freebsd7 seem to be a slow starter.

[Leslie Jensen]

Hello

When I boot the machine where pf is installed, every thing I can see
looks ok. It's hard to read the text scrolling on the screen and the
information concerning pf is not to be found in /var/log/messages.

Anyway I have one PC on the inside and it takes some time before it's
able to reach the outside world.

I can speed up the process by making a change to pf.conf and then use
the command  pfctl -f /etc/pf.conf.

Another thing I see is that for example I add log (all) to one of my
filters and do pfctl -f /etc/pf.conf, then later I remove it again and
do pfctl -f /etc/pf.conf. The output from tcpdump -n -e -ttt -i pflog0
still shows packages as if it had not refreshed and still have the "log
(all)" active.

I know my problems is a little bit unclear but I hope someone will help
my solving this behaviour in the right way.

Thanks

/Leslie



----------- My pf.conf --------------------
# macros
int_if="xl0"
ext_if="bfe0"

tcp_services="{ 22 }"
tcp_priv_services="{ 389, 443 }"
icmp_types="echoreq"

# tables
table <goodguys> { something.somewhere.com, somethingelse.somewhere.com,
xxx.yyy.zzz.qqq }

# options
set block-policy return
set loginterface $ext_if

set skip on lo0

# scrub
scrub in

# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)

# filter rules
block in log (all) on $ext_if

pass out keep state

# Let the goodguys access the machine from the outside
pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \
port $tcp_services flags S/SA keep state

# ICMP traffic needs to be passed:
pass inet proto icmp all icmp-type $icmp_types keep state

# traffic must be passed to and from the internal network
pass in quick on $int_if
--------------------------------------------