8.2-RELEASE pf rules not loading
Jeremy Chadwick
freebsd at jdc.parodius.com
Fri Feb 25 22:31:22 UTC 2011
On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote:
> On 25/02/2011 17:35, Josh Carroll wrote:
> >> Hi All,
> >> Just upgraded my home machine to 8.2-RELEASE via
> >> freebsd-update remotely (spare time at work.) and on reboot my pf
> >> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
> >> does start it fine though. Any suggestions on debugging or shall i just
> >> try a verbose boot and watch the console when I get home?
> >> I still have
> >>
> >> pf_enable="YES" # Set to YES to enable packet filter (pf)
> >> pflog_enable="YES" # Set to YES to enable packet filter
> >> logging
> >>
> >> in /etc/rc.conf
> > Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
> >
> > ifconfig_<ifacename>="DHCP"
> >
> > to
> >
> > ifconfig_<ifacename>="SYNCDHCP"
> >
> > It's possible the network hasn't come up properly yet or there is no
> > IP assigned.
> >
> > Failing that, you can set:
> >
> > rc_debug="YES"
> >
> > in rc.conf then watch at boot time if there are any odd messages when
> > it attempts to start pf.
> >
> It turns out that its sort of related to this. I have an IPv6 tunnel
> from H.E. (tunnelbroker.net) and from looking at the boot output, it
> looks like the IPv6 addresses (for any of my imterfaces) aren't applied
> until after pf starts. I'd say this is a bug, Oddly this didnt happen
> for the release candidate I tried, although I think I may have modified
> my rules and not rebooted until I upgraded.
> the rules in question are:
>
> pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
> keep state
> and
> pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
> $sf_tcp
> (ext_if = "ue0")
>
> I'll try changing $ext_if to the ipv6 address and see if that helps.
Please look at pf.conf(5) and search for the word "parentheses" (should
be under the "from x to x" section. This might resolve your problem.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP 4BD6C0CB |
More information about the freebsd-stable
mailing list