From owner-freebsd-questions@FreeBSD.ORG  Fri Mar  4 16:41:40 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E83D16A504
	for <freebsd-questions@freebsd.org>;
	Fri,  4 Mar 2005 16:41:40 +0000 (GMT)
Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A906B43D41
	for <freebsd-questions@freebsd.org>;
	Fri,  4 Mar 2005 16:41:39 +0000 (GMT)
	(envelope-from keramida@freebsd.org)
Received: from orion.daedalusnetworks.priv (aris.bedc.ondsl.gr
	[62.103.39.226])j24GfNIp005032;	Fri, 4 Mar 2005 18:41:23 +0200
Received: from orion.daedalusnetworks.priv (orion [127.0.0.1])
	j24Gfbco001798;	Fri, 4 Mar 2005 18:41:37 +0200 (EET)
	(envelope-from keramida@freebsd.org)
Received: (from keramida@localhost)j24GfaVd001797;
	Fri, 4 Mar 2005 18:41:36 +0200 (EET)
	(envelope-from keramida@freebsd.org)
Date: Fri, 4 Mar 2005 18:41:36 +0200
From: Giorgos Keramidas <keramida@freebsd.org>
To: "J.D. Bronson" <jbronson@wixb.com>
Message-ID: <20050304164136.GA1684@orion.daedalusnetworks.priv>
References: <6.2.0.14.2.20050304062626.00aa8468@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6.2.0.14.2.20050304062626.00aa8468@localhost>
cc: freebsd-questions@freebsd.org
Subject: Re: pf seems to start late?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2005 16:41:40 -0000

On 2005-03-04 06:29, "J.D. Bronson" <jbronson@wixb.com> wrote:
> Mar  4 06:15:11 sole kernel: Starting syslogd.
> Mar  4 06:15:11 sole kernel: Mar  4 06:15:11 sole syslogd: kernel boot file is /boot/kernel/kernel
> Mar  4 06:15:11 sole kernel: Starting named.
> Mar  4 06:15:12 sole kernel: Setting date via ntp.
> Mar  4 06:15:15 sole kernel: 4 Mar 06:15:15 ntpdate[345]: step time server x.x.x.x offset -0.534182 sec
> Mar  4 06:15:15 sole kernel: Clearing /tmp.
> Mar  4 06:15:16 sole kernel: ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib
> Mar  4 06:15:16 sole kernel: a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
> Mar  4 06:15:16 sole kernel: Enabling pflogd
> Mar  4 06:15:16 sole kernel: .
> Mar  4 06:15:16 sole kernel: Mar  4 06:15:16 sole kernel: pflog0: promiscuous mode enabled
> Mar  4 06:15:16 sole kernel: Enabling pf.
> Mar  4 06:15:16 sole kernel: pf enabled
>
> Shouldn't PF start right after the interfaces come up?  The interface
> comes up and then NTP/NTPD start...and duing this time for 5secs or
> more there seems to be no pf running....why is this and why doesnt
> NTP/NTPD start AFTER pf is loaded up?
>
> I think under OpenBSD...pf loads before anything else network related
> to at least offer minimum protection.
>
> Am i missing something?  Ideally, I think pf should launch immediately
> after the ppp kernel fires.

That seems like a reasonable thing, yes.  The problem is very likely one
of rc.d dependencies.  IP Filter and IPFW seem to start before network
services, because their constraints state they should start before any
network interfaces or networking is brought up:

    /etc/rc.d/ipfilter:

	# PROVIDE: ipfilter
	# REQUIRE: root mountcritlocal
	# BEFORE:  netif
	# KEYWORD: nojail

    /etc/rc.d/ipfw:

	# PROVIDE: ipfw
	# REQUIRE: ppp-user
	# BEFORE: NETWORKING
	# KEYWORD: nojail

The constraints of /etc/rc.d/pf are a bit different, and they don't
enforce the start of pflog/pf before any interfaces are brought up.

Can you try the following patch to your /etc/rc.d/pf script and tell me
if it works for you or if it breaks anything important?

%%%
Index: pf
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/pf,v
retrieving revision 1.6
diff -u -r1.6 pf
--- pf	25 Oct 2004 08:12:28 -0000	1.6
+++ pf	4 Mar 2005 16:39:03 -0000
@@ -5,7 +5,7 @@
 
 # PROVIDE: pf
 # REQUIRE: root mountcritlocal netif pflog
-# BEFORE:  DAEMON LOGIN
+# BEFORE:  netif
 # KEYWORD: nojail
 
 . /etc/rc.subr
Index: pflog
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/pflog,v
retrieving revision 1.5
diff -u -r1.5 pflog
--- pflog	16 Jan 2005 03:12:03 -0000	1.5
+++ pflog	4 Mar 2005 16:40:21 -0000
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pflog
-# REQUIRE: root mountcritlocal netif cleanvar
+# REQUIRE: root mountcritlocal cleanvar
 # BEFORE:  DAEMON LOGIN
 # KEYWORD: nojail
 
%%%