8.2-RELEASE pf rules not loading
vince at unsane.co.uk
Fri Feb 25 22:24:00 UTC 2011
On 25/02/2011 17:35, Josh Carroll wrote:
>> Hi All,
>> Just upgraded my home machine to 8.2-RELEASE via
>> freebsd-update remotely (spare time at work.) and on reboot my pf
>> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
>> does start it fine though. Any suggestions on debugging or shall i just
>> try a verbose boot and watch the console when I get home?
>> I still have
>> pf_enable="YES" # Set to YES to enable packet filter (pf)
>> pflog_enable="YES" # Set to YES to enable packet filter
>> in /etc/rc.conf
> Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
> It's possible the network hasn't come up properly yet or there is no
> IP assigned.
> Failing that, you can set:
> in rc.conf then watch at boot time if there are any odd messages when
> it attempts to start pf.
It turns out that its sort of related to this. I have an IPv6 tunnel
from H.E. (tunnelbroker.net) and from looking at the boot output, it
looks like the IPv6 addresses (for any of my imterfaces) aren't applied
until after pf starts. I'd say this is a bug, Oddly this didnt happen
for the release candidate I tried, although I think I may have modified
my rules and not rebooted until I upgraded.
the rules in question are:
pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
(ext_if = "ue0")
I'll try changing $ext_if to the ipv6 address and see if that helps.
> freebsd-stable at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable