Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Feb 2007 19:46:12 -0500
From:      "Dan Langille" <dan@langille.org>
To:        "Kian Mohageri" <kian.mohageri@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf starts, but no rules
Message-ID:  <45D0C404.27182.257AAE28@dan.langille.org>
In-Reply-To: <fee88ee40702101353x55c51096ve580f04926836777@mail.gmail.com>
References:  <45CDED58.2056.1A642A00@dan.langille.org>, <fee88ee40702101353x55c51096ve580f04926836777@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 10 Feb 2007 at 13:53, Kian Mohageri wrote:

> On 2/10/07, Dan Langille <dan@langille.org> wrote:
> >
> > Hi folks,
> >
> > Yesterday I rebooted a server to load a new kernel.  After the
> > reboot, the firewall rules were not loaded.
> >
> > $ grep pf /etc/rc.conf
> > pf_enable="YES"
> > pflog_enable="YES"
> > pf_rules="/etc/pf.rules"
> >
> > I never checked for the rules until today and found this:
> >
> >
> >
> > [dan@nyi:~] $ sudo pfctl -sa | less
> > Password:
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> > FILTER RULES:
> >
> > INFO:
> > Status: Enabled for 0 days 19:59:39             Debug: None
> >
> > Hostid: 0x36eae8cf
> >
> > State Table                          Total             Rate
> >   current entries                        0
> >   searches                         5515422           76.6/s
> >
> > etc...
> >
> > Loading the rules manually works:
> >
> > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> > [dan@nyi:~] $
> >
> > After loading, pfctl -sa shows the output I would expect.
> >
> > Ideas?  Suggestions?
> >
> > Is anyone else using PF with a pf_rules specified?
> >
> > FWIW, I notice I have one host identified by FQDN in my rules.
> 
> 
> 
> I had this problem as well, and it is because at the time the pf rules are
> loaded, the FQDN cannot be resolved.  I believe that is because of the
> "BEFORE: routing" dependency in /etc/rc.d/pf.

Interesting... I just tried to reproduce the problem on a test 
server, and was unable to.  I'll keep trying.


-- 
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php
PGCon - The PostgreSQL Conference - http://www.pgcon.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D0C404.27182.257AAE28>