Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Feb 2011 22:23:58 +0000
From:      Vincent Hoffman <vince@unsane.co.uk>
To:        freebsd-stable@freebsd.org
Subject:   Re: 8.2-RELEASE pf rules not loading
Message-ID:  <4D682BFE.9050702@unsane.co.uk>
In-Reply-To: <AANLkTin9ZHd%2BABKm6Z_ek9QD1CVKmb9W-bRe2ZRYj1pn@mail.gmail.com>
References:  <4D67E2BC.6070202@unsane.co.uk> <AANLkTin9ZHd%2BABKm6Z_ek9QD1CVKmb9W-bRe2ZRYj1pn@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 25/02/2011 17:35, Josh Carroll wrote:
>> Hi All,
>>            Just upgraded my home machine to 8.2-RELEASE via
>> freebsd-update remotely (spare time at work.) and on reboot my pf
>> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
>> does start it fine though. Any suggestions on debugging or shall i just
>> try a verbose boot and watch the console when I get home?
>> I still have
>>
>> pf_enable="YES"                  # Set to YES to enable packet filter (pf)
>> pflog_enable="YES"               # Set to YES to enable packet filter
>> logging
>>
>> in /etc/rc.conf
> Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
>
> ifconfig_<ifacename>="DHCP"
>
> to
>
> ifconfig_<ifacename>="SYNCDHCP"
>
> It's possible the network hasn't come up properly yet or there is no
> IP assigned.
>
> Failing that, you can set:
>
> rc_debug="YES"
>
> in rc.conf then watch at boot time if there are any odd messages when
> it attempts to start pf.
>
It turns out that its sort of related to this. I have an IPv6 tunnel
from H.E. (tunnelbroker.net) and from looking at the boot output, it
looks like the IPv6 addresses (for any of my imterfaces) aren't applied
until after pf starts. I'd say this is a bug, Oddly this didnt happen
for the release candidate I tried, although I think I may have modified
my rules and not rebooted until I upgraded.
the rules in question are:

pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
keep state
and
pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
$sf_tcp
(ext_if = "ue0")

I'll try changing $ext_if to the ipv6 address and see if that helps.


Vince



> Josh
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D682BFE.9050702>