pf/ppp timing problem at startup

cpghost cpghost at cordula.ws
Wed Feb 14 06:25:15 UTC 2007 

On Wed, Feb 14, 2007 at 02:59:18AM +0000, RW wrote:
> On Wed, 14 Feb 2007 03:14:50 +0100
> cpghost <cpghost at cordula.ws> wrote:
> 
> > I'm using ADSL to connect (using a static IP), and ppp(1)
> > needs some time (a few seconds) to initialize and configure
> > the tun(4) device. Parallel to this, pf(4) starts immediately,
> > and doesn't recognize ext_if (tun0), which is not yet ready.
> > As a result of this, pf shuts down again and there's no firewall.
> > 
> >...
> > Perhaps there's also some pf setting that would dynamically adjust
> > to tun0 once it appears?
> 
> 
> I don't know the answer, but I suspect that you are asking the wrong
> question. Your setup is a very common one, so it seems a bit unlikely
> any special bodging is required (and that no-one is complaining about
> it). The ppp startup script is supposed to resync pf after starting
> ppp. 
> 
> I'm wondering if there is anything unusual in you ppp.conf or  rc.conf
> entries.

There shouldn't be. Here there are. It's on a:

  FreeBSD 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Jan 16 14:45:10 CET 2007

/etc/ppp/ppp.conf:
------------------

default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)

fw-9703:
  set device PPPoE:sis0
  set MTU 1460
  set MRU 1460
  set dial
  set crtscts off
  set speed sync
  disable lqr
  set echoperiod 30
  enable echo
  disable deflate
  disable pred1
  disable vjcomp
  disable acfcomp
  disable protocomp
  set log Phase LCP IPCP CCP Warning Error Alert
  set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
  set login
  set authname XXXXXXXXXXXXXXXXXX
  set authkey XXXXXXXXXXX
  set timeout 0
  add default HISADDR
  set server /var/run/internet "" 0177

/etc/rc.conf:
-------------

hostname="XXXXXXXXXXXXXXXXX"
gateway_enable="YES"
ifconfig_sis0="inet 10.10.0.1 mtu 1460 netmask 255.255.255.0"
ifconfig_sis1="inet 192.168.254.1 mtu 1460 netmask 255.255.255.0"
gbde_swap_enable="YES"
ppp_enable="YES"
ppp_profile="fw-9703"
ppp_user="root"
ppp_mode="ddial"
ppp_nat="YES"
named_enable="YES"
# named_flags="-u bind -g bind -t /etc/namedb/s"
sshd_enable="YES"
sendmail_enable="NONE"
postfix_enable="YES"
syslogd_flags="-ss -l /var/db/thttpd/dev/log"
saslauthd_enable="YES"
cyrus_imapd_enable="YES"
pf_enable="YES"
pf_flags="-f /etc/pf.conf"
pflog_enable="YES"
postgrey_enable="YES"
lighttpd_enable="YES"
lighttpd2_enable="YES"
lighttpd2_conf="/usr/local/etc/lighttpd2.conf"

/etc/pf.conf:
-------------

ext_if="tun0"
internal_net="192.168.254.0/24"
tcp_services="{ 25, 80, XXXXXXXXXXXX }"
icmp_types="echoreq"
table <badhosts> persist { XXXXXXXXXXXXXXXX }

set block-policy drop
set loginterface $ext_if
scrub in all

# NAT stuff clipped 
# rdr pass on $ext_if proto tcp from any to any port XXXX
#     -> N.N.N.N port YYYY

block in log on $ext_if all
pass  in on $ext_if inet proto tcp from any to $ext_if port $tcp_services
      flags S/SA keep state
# pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy
#       flags S/SA keep state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# More rules clipped

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/

More information about the freebsd-questions mailing list