pf rules not being loaded during boot on 7.1-PRERELEASE

Fri Oct 3 23:05:42 UTC 2008

On 10/04/08 00:05, Bruce Cran wrote:
> On Fri, 3 Oct 2008 04:38:24 -0700
> Jeremy Chadwick <koitsu at FreeBSD.org> wrote:
>> I've figured out what the problem is.  This is not good, and is
>> guaranteed to bite other people.  I'd like to believe this is an
>> rc-related problem, but I'm not sure how to fix it.
>>
>> The problem in my case:
>>
>> The physical interfaces were brought online, but were still
>> technically offline (the switch and NIC PHY were taking some time to
>> negotiate speed and duplex).  Boot messages:
>>
> 
> My box is headless so I didn't see the startup messages until I
> attached a serial cable.  It's a similar problem in my case, but caused
> because I'm firewalling an ADSL connection which uses PPP, and pf is
> being enabled before PPP has configured tun0:
> 
> Setting hostname: router.draftnet.
> vr0: link state changed to DOWN
> dc0: link state changed to UP
> dc3: link state changed to UP
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	inet6 ::1 prefixlen 128 
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 
> 	inet 127.0.0.1 netmask 0xff000000 
> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500 options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
> 	ether 00:40:63:e3:d1:b7
> 	inet6 XXXXXXXXXX%vr0 prefixlen 64 tentative
> scopeid 0x1 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXXX
> 	media: Ethernet autoselect (none)
> 	status: no carrier
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500 options=8<VLAN_MTU>
> 	ether 00:80:c8:c9:96:6d
> 	inet6 XXXXXXXXX%dc0 prefixlen 64 tentative
> scopeid 0x2 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX
> 	media: Ethernet autoselect (100baseTX <full-duplex>)
> 	status: active
> dc3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500 options=8<VLAN_MTU>
> 	ether 00:80:c8:c9:96:70
> 	inet6 XXXXXXXXX%dc3 prefixlen 64 tentative
> scopeid 0x5 inet XXXXXXXXX netmask 0xffffff00 broadcast XXXXXXXXX
> 	media: Ethernet autoselect (100baseTX <full-duplex>)
> 	status: active
> Enabling pf.
> no IP address found for tun0
> /etc/pf.conf:45: could not parse host specification
> pfctl: Syntax error in config file: pf rules not loaded
> pf enabled
> Starting PPP profile: demonLoading /lib/libalias_cuseeme.so
> Loading /lib/libalias_ftp.so
> Loading /lib/libalias_irc.so
> Lodading /lib/libalcias_nbt.so
> Load1ing /lib/libalia:s_pptp.so
> Loadi ng /lib/libaliasl_skinny.so
> Loadiing /lib/libalians_smedia.so
> k.
> no IP address  found for tun0
> s
> /etc/pf.conf:45t: could not parsae host specificattion
> pfctl: Synetax error in con fig file: pf rulces not loaded
> ahdd net default: agateway tun0
> Adnditional routingg options: IP gateeway=YES.
> dadd net ::ffff:0 .0.0.0: gateway t::1
> add net ::0o.0.0.0: gateway  ::1
> net.inet6.iDp6.forwarding: 0O -> 1
> net.inet6W.ip6.accept_rtadNv: 0 -> 0
> 
> dc2: link state changed to DOWN
> 
> The messages following "link state changed to DOWN" indicate that all
> the interfaces are now properly configured with IP addresses, including
> the external ADSL tun0 and IPv6 gif0 interfaces.
> 

Bruce,

looking into my crystal ball... ;)

You seem to have a rule like:

pass ... on tun0 from any to tun0 ...

If you change that into:

pass ... on tun0 from any to (tun0) ...

pf will happily parse your rules and activate your firewall even while
tun0 does not already have an IP address. You may also try to use rules
naming an interface family instead of a single interface.

Other than that suggestion, I may help you if you'll send me your rules
(private mail is ok for me).

Volker