Date: Tue, 5 Jun 2007 15:29:18 -0500 From: David DeSimone <fox@verio.net> To: freebsd-pf@freebsd.org Subject: Re: fbsd 6.2 pf starts -- but not on boot Message-ID: <20070605202918.GA14693@verio.net> In-Reply-To: <46648172.3060307@vwsoft.com> References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Volker <volker@vwsoft.com> wrote:
>
> without seeing your pf.conf ruleset, I guess you're using a ppp
> connection to your upstream provider and firewalling on the tunX
> interface (using tun0 as $ext_if).
>
> As FreeBSD boots up, this interface does not yet exist when pf is
> loaded. As soon as ppp is loaded and interface tun0 has been created,
> pf will happily load your ruleset.
My understanding of PF is that it will happily load a configuration that
contains references to nonexistent interfaces, and when those interface
come around to existing later, it will happily enforce the policy
applied to them. That is to say, I can't find any evidence that an
interface that doesn't exist causes policy loading to fail.
To test this, I added a couple of lines to my existing policy:
pass out quick on gpx0 all
pass in on asdfiawe934 from 1.2.3.4 to 4.3.2.1
PF did not complain one bit about these nonsensical interface names, and
"pfctl -sr" verifies that they do indeed remain in force, even though
they have no chance of matching anything.
- --
David DeSimone == Network Admin == fox@verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGZceeFSrKRjX5eCoRAoveAKCq555M9XeyLz6yHGNRNwfalsbJ9QCfRUZZ
zV8DZgb0db0hxRdKKnY4HpM=
=bCVg
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070605202918.GA14693>