pf seems to start late?

Giorgos Keramidas keramida at freebsd.org
Fri Mar 4 08:41:40 PST 2005 

On 2005-03-04 06:29, "J.D. Bronson" <jbronson at wixb.com> wrote:
> Mar  4 06:15:11 sole kernel: Starting syslogd.
> Mar  4 06:15:11 sole kernel: Mar  4 06:15:11 sole syslogd: kernel boot file is /boot/kernel/kernel
> Mar  4 06:15:11 sole kernel: Starting named.
> Mar  4 06:15:12 sole kernel: Setting date via ntp.
> Mar  4 06:15:15 sole kernel: 4 Mar 06:15:15 ntpdate[345]: step time server x.x.x.x offset -0.534182 sec
> Mar  4 06:15:15 sole kernel: Clearing /tmp.
> Mar  4 06:15:16 sole kernel: ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib
> Mar  4 06:15:16 sole kernel: a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
> Mar  4 06:15:16 sole kernel: Enabling pflogd
> Mar  4 06:15:16 sole kernel: .
> Mar  4 06:15:16 sole kernel: Mar  4 06:15:16 sole kernel: pflog0: promiscuous mode enabled
> Mar  4 06:15:16 sole kernel: Enabling pf.
> Mar  4 06:15:16 sole kernel: pf enabled
>
> Shouldn't PF start right after the interfaces come up?  The interface
> comes up and then NTP/NTPD start...and duing this time for 5secs or
> more there seems to be no pf running....why is this and why doesnt
> NTP/NTPD start AFTER pf is loaded up?
>
> I think under OpenBSD...pf loads before anything else network related
> to at least offer minimum protection.
>
> Am i missing something?  Ideally, I think pf should launch immediately
> after the ppp kernel fires.

That seems like a reasonable thing, yes.  The problem is very likely one
of rc.d dependencies.  IP Filter and IPFW seem to start before network
services, because their constraints state they should start before any
network interfaces or networking is brought up:

    /etc/rc.d/ipfilter:

	# PROVIDE: ipfilter
	# REQUIRE: root mountcritlocal
	# BEFORE:  netif
	# KEYWORD: nojail

    /etc/rc.d/ipfw:

	# PROVIDE: ipfw
	# REQUIRE: ppp-user
	# BEFORE: NETWORKING
	# KEYWORD: nojail

The constraints of /etc/rc.d/pf are a bit different, and they don't
enforce the start of pflog/pf before any interfaces are brought up.

Can you try the following patch to your /etc/rc.d/pf script and tell me
if it works for you or if it breaks anything important?

%%%
Index: pf
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/pf,v
retrieving revision 1.6
diff -u -r1.6 pf
--- pf	25 Oct 2004 08:12:28 -0000	1.6
+++ pf	4 Mar 2005 16:39:03 -0000
@@ -5,7 +5,7 @@
 
 # PROVIDE: pf
 # REQUIRE: root mountcritlocal netif pflog
-# BEFORE:  DAEMON LOGIN
+# BEFORE:  netif
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pflog
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/pflog,v
retrieving revision 1.5
diff -u -r1.5 pflog
--- pflog	16 Jan 2005 03:12:03 -0000	1.5
+++ pflog	4 Mar 2005 16:40:21 -0000
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pflog
-# REQUIRE: root mountcritlocal netif cleanvar
+# REQUIRE: root mountcritlocal cleanvar
 # BEFORE:  DAEMON LOGIN
 # KEYWORD: nojail
 
%%%

More information about the freebsd-questions mailing list