fbsd 6.2 pf starts -- but not on boot

snowcrash+freebsd schneecrash+freebsd at gmail.com
Mon Jun 4 22:37:26 UTC 2007 

On 6/4/07, Volker <volker at vwsoft.com> wrote:
> without seeing your pf.conf ruleset,

happy to send/post if required/helpful ...

> I guess you're using a ppp
> connection to your upstream provider and firewalling on the tunX
> interface (using tun0 as $ext_if).

you're absolutely correct here.

> As FreeBSD boots up, this interface does not yet exist when pf is
> loaded.

clear.

> As soon as ppp is loaded and interface tun0 has been created,
> pf will happily load your ruleset.

aha. does that suggest that i'm simply not waiting long enough?  your
following comments suggest otherwise, iiuc, that i need to proactively
_do_ something different ...

> The solution is to either have pf rules loaded late (later than ppp is
> started)

clearly, simply including pf-related items in rc.conf after
pppoe-related items is not sufficient.

i'll take a look at "rcorder" ... which i wasn't aware of at all.  thanks!

> or use anchors and load ext rules into the anchor when the
> ppp interface is up.

i hadn't thought of using anchors in this fashion.

i'm off to google, but any good examples you can reference?

> The easier is to have the rules loading late
> (check using rcorder) but this may also fail if something goes wrong
> with ppp.

i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring,

cat /etc/ppp/ppp.linkup
	------------------------------------
	ppp1:
		! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf"
		!bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >> /etc/ppp/log"
	------------------------------------

cat /etc/ppp/ppp.linkdown
	------------------------------------
	ppp1:
		!bg route delete HISADDR ppp1
		!bg pfctl -F all -d
	------------------------------------

cat /etc/ppp/ppp.conf
	------------------------------------
	default:
		set device PPPoE:sis1:
		set speed sync
		set ctsrts off
		set dial
		set login
		set cd 10
		set timeout 0
		set redial 0 0
		enable lqr
		set lqrperiod 20
		set log Phase tun command
	
		add default HISADDR
		enable tcpmssfixup
		disable dns
	
	ppp1:
		set authname me at myisp.com
		set authkey  ############
		set MRU 1492
		set MTU 1492
	------------------------------------

are these NOT supposed to address/solve the problem? or are the configs wrong?

Mikhail Goriachev <mikhailg at webanoide.org>
> Just a shot in the dark. You are probably putting hostnames in your
> pf.conf instead of IPs. PF starts before Bind. So it can't resolve
> hostnames in the rules and hence doesn't start.

heh.  a good call, but, i'd already made THAT mistake a month or so ago. ;-)

thanks though!

More information about the freebsd-questions mailing list