8.2-RELEASE pf rules not loading

Vincent Hoffman vince at unsane.co.uk
Fri Feb 25 22:45:04 UTC 2011 

On 25/02/2011 22:31, Jeremy Chadwick wrote:
> On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote:
>> On 25/02/2011 17:35, Josh Carroll wrote:
>>>> Hi All,
>>>>            Just upgraded my home machine to 8.2-RELEASE via
>>>> freebsd-update remotely (spare time at work.) and on reboot my pf
>>>> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
>>>> does start it fine though. Any suggestions on debugging or shall i just
>>>> try a verbose boot and watch the console when I get home?
>>>> I still have
>>>>
>>>> pf_enable="YES"                  # Set to YES to enable packet filter (pf)
>>>> pflog_enable="YES"               # Set to YES to enable packet filter
>>>> logging
>>>>
>>>> in /etc/rc.conf
>>> Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
>>>
>>> ifconfig_<ifacename>="DHCP"
>>>
>>> to
>>>
>>> ifconfig_<ifacename>="SYNCDHCP"
>>>
>>> It's possible the network hasn't come up properly yet or there is no
>>> IP assigned.
>>>
>>> Failing that, you can set:
>>>
>>> rc_debug="YES"
>>>
>>> in rc.conf then watch at boot time if there are any odd messages when
>>> it attempts to start pf.
>>>
>> It turns out that its sort of related to this. I have an IPv6 tunnel
>> from H.E. (tunnelbroker.net) and from looking at the boot output, it
>> looks like the IPv6 addresses (for any of my imterfaces) aren't applied
>> until after pf starts. I'd say this is a bug, Oddly this didnt happen
>> for the release candidate I tried, although I think I may have modified
>> my rules and not rebooted until I upgraded.
>> the rules in question are:
>>
>> pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
>> keep state
>> and
>> pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
>> $sf_tcp
>> (ext_if = "ue0")
>>
>> I'll try changing $ext_if to the ipv6 address and see if that helps.
> Please look at pf.conf(5) and search for the word "parentheses" (should
> be under the "from x to x" section.  This might resolve your problem.
That seems looks reasonable, if unexpected since its all statically configured. I'll give it a try when I can reboot it next. 

It does seems a little odd that the rcorder doesnt start network_ipv6 (REQUIRE: routing) until after pf (BEFORE:  routing) , but I assume there was a reason for this.


Vince

More information about the freebsd-stable mailing list