pf fails to start
Max Laier
max at love2party.net
Thu Sep 7 08:44:06 PDT 2006
On Thursday 07 September 2006 15:00, KES wrote:
> pf fails to start if interface doesnt exist or IP address not assigned
There are a couple of gotchas in this area, but most of them can be worked
around.
1) "set loginterface tun0"
Generally, there is no need for "set loginterface" anymore as we collect
statistics for all interfaces by default. (see "pfctl -vvvs Interfaces").
2) "altq on tun0 ..."
This one can't be worked around directly due to the way ALTQ is
implemented, but see below.
3) "... from tun0 ..." or "... to tun0 ..." in filter rules, "-> tun0" in
nat rules
This can easily be solved by using "(tun0)" in these rules. This assures
two things, firstly it allows to load the rule w/o tun0 existing,
secondly it tracks address changes on the interface. Note that due to
some unclear ppp bug it might be necessary to use "(tun0:0)" instead.
A general sollution for ppp devices is the use of the "ppp.linkup" script.
All ppp clients, I'm aware of, support it in one way or another. This
script is executed just after the link is up and IP addresses are
configured - usually before data is accepted from the device.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060907/968e03ce/attachment.pgp
More information about the freebsd-pf
mailing list