fbsd 6.2 pf starts -- but not on boot

Volker volker at vwsoft.com
Mon Jun 4 21:18:28 UTC 2007 

On 06/04/07 23:03, snowcrash+freebsd wrote:
> hi,
> 
> i've fbsd 6.2R/p5, with pf compiled into a custom kernel.
> 
> on boot, pf is, apparently, not starting.
> 
> but, if i exec
> 
>     /etc/rc.d/pf start
> 
> immediately after boot to prompt is done, then all's OK.
> 
> the only related (?) messages -- error or otherwise -- i've found are
> on startup.
> 
> any ideas/suggestions as to what might be the prob? and/or how to
> troubleshoot?
> 
> thanks!
> 
> for reference, from console output @ startup,
> 
> ----------------------------------------
> ...
> sis0: link state changed to UP
> sis1: link state changed to UP
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>        inet6 fe80::1%lo0 prefixlen 64 sscopeid 0x5
>        inet6 ::1 prefisxlen 128
>        inet2 127.0.0.1 netma:sk 0xff000000
> sis0: flags=8843l<UP,BROADCAST,RUiNNING,SIMPLEX,MUnLTICAST> mtu 149k2
>        options=48<V LAN_MTU,POLLING>s
>        inet 10.0.0.10 netmask 0xfafffff00 broadcastt 10.0.0.255
>        ether 00:00:12:d4:15:88
>        media:t Ethernet autoseolect (100baseTX  <full-duplex>)
>        status: active
> sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1492
>        options=48<VLAN_MTU,POLLING>
>        ether 00:00:12:d4:15:89
>        media: Ethernet autoselect (100baseTX <full-duplex>)
>        status: active
> Starting pflog.
> pflog0: promiscuous mode enabled
> Enabling pf.
> Jun  4 13:38:11 pflogd[479]: [priv]: msg PRIV_OPEN_LOG received
> pfctl: DIOCSETSTATUSIF
> pf enabled
...

snow,

without seeing your pf.conf ruleset, I guess you're using a ppp
connection to your upstream provider and firewalling on the tunX
interface (using tun0 as $ext_if).

As FreeBSD boots up, this interface does not yet exist when pf is
loaded. As soon as ppp is loaded and interface tun0 has been created,
pf will happily load your ruleset.

The solution is to either have pf rules loaded late (later than ppp is
started) or use anchors and load ext rules into the anchor when the
ppp interface is up. The easier is to have the rules loading late
(check using rcorder) but this may also fail if something goes wrong
with ppp.

HTH

Volker

More information about the freebsd-questions mailing list