From owner-freebsd-pf@FreeBSD.ORG Tue Jun 5 20:29:20 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4880816A400 for ; Tue, 5 Jun 2007 20:29:20 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 1EF7213C447 for ; Tue, 5 Jun 2007 20:29:20 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1HvfeZ-0000CH-Ht for freebsd-pf@freebsd.org; Tue, 05 Jun 2007 20:29:19 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1HvfeZ-0004NJ-DR for freebsd-pf@freebsd.org; Tue, 05 Jun 2007 20:29:19 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 96E4A8E296; Tue, 5 Jun 2007 15:29:18 -0500 (CDT) Date: Tue, 5 Jun 2007 15:29:18 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070605202918.GA14693@verio.net> References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <46648172.3060307@vwsoft.com> User-Agent: Mutt/1.5.9i Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 20:29:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Volker wrote: > > without seeing your pf.conf ruleset, I guess you're using a ppp > connection to your upstream provider and firewalling on the tunX > interface (using tun0 as $ext_if). > > As FreeBSD boots up, this interface does not yet exist when pf is > loaded. As soon as ppp is loaded and interface tun0 has been created, > pf will happily load your ruleset. My understanding of PF is that it will happily load a configuration that contains references to nonexistent interfaces, and when those interface come around to existing later, it will happily enforce the policy applied to them. That is to say, I can't find any evidence that an interface that doesn't exist causes policy loading to fail. To test this, I added a couple of lines to my existing policy: pass out quick on gpx0 all pass in on asdfiawe934 from 1.2.3.4 to 4.3.2.1 PF did not complain one bit about these nonsensical interface names, and "pfctl -sr" verifies that they do indeed remain in force, even though they have no chance of matching anything. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGZceeFSrKRjX5eCoRAoveAKCq555M9XeyLz6yHGNRNwfalsbJ9QCfRUZZ zV8DZgb0db0hxRdKKnY4HpM= =bCVg -----END PGP SIGNATURE-----