From owner-freebsd-questions@FreeBSD.ORG Wed Feb 14 06:25:15 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D800A16A4C0 for ; Wed, 14 Feb 2007 06:25:15 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 24B5D13C491 for ; Wed, 14 Feb 2007 06:25:15 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from epia-2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id C6C4BDBD10; Wed, 14 Feb 2007 07:24:02 +0100 (CET) Date: Wed, 14 Feb 2007 07:27:02 +0100 From: cpghost To: RW Message-ID: <20070214062702.GA54100@epia-2.farid-hajji.net> References: <20070214021450.GC52462@epia-2.farid-hajji.net> <20070214025918.38c60c88@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070214025918.38c60c88@gumby.homeunix.com> User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-questions@freebsd.org Subject: Re: pf/ppp timing problem at startup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Feb 2007 06:25:15 -0000 On Wed, Feb 14, 2007 at 02:59:18AM +0000, RW wrote: > On Wed, 14 Feb 2007 03:14:50 +0100 > cpghost wrote: > > > I'm using ADSL to connect (using a static IP), and ppp(1) > > needs some time (a few seconds) to initialize and configure > > the tun(4) device. Parallel to this, pf(4) starts immediately, > > and doesn't recognize ext_if (tun0), which is not yet ready. > > As a result of this, pf shuts down again and there's no firewall. > > > >... > > Perhaps there's also some pf setting that would dynamically adjust > > to tun0 once it appears? > > > I don't know the answer, but I suspect that you are asking the wrong > question. Your setup is a very common one, so it seems a bit unlikely > any special bodging is required (and that no-one is complaining about > it). The ppp startup script is supposed to resync pf after starting > ppp. > > I'm wondering if there is anything unusual in you ppp.conf or rc.conf > entries. There shouldn't be. Here there are. It's on a: FreeBSD 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Jan 16 14:45:10 CET 2007 /etc/ppp/ppp.conf: ------------------ default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) fw-9703: set device PPPoE:sis0 set MTU 1460 set MRU 1460 set dial set crtscts off set speed sync disable lqr set echoperiod 30 enable echo disable deflate disable pred1 disable vjcomp disable acfcomp disable protocomp set log Phase LCP IPCP CCP Warning Error Alert set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 set login set authname XXXXXXXXXXXXXXXXXX set authkey XXXXXXXXXXX set timeout 0 add default HISADDR set server /var/run/internet "" 0177 /etc/rc.conf: ------------- hostname="XXXXXXXXXXXXXXXXX" gateway_enable="YES" ifconfig_sis0="inet 10.10.0.1 mtu 1460 netmask 255.255.255.0" ifconfig_sis1="inet 192.168.254.1 mtu 1460 netmask 255.255.255.0" gbde_swap_enable="YES" ppp_enable="YES" ppp_profile="fw-9703" ppp_user="root" ppp_mode="ddial" ppp_nat="YES" named_enable="YES" # named_flags="-u bind -g bind -t /etc/namedb/s" sshd_enable="YES" sendmail_enable="NONE" postfix_enable="YES" syslogd_flags="-ss -l /var/db/thttpd/dev/log" saslauthd_enable="YES" cyrus_imapd_enable="YES" pf_enable="YES" pf_flags="-f /etc/pf.conf" pflog_enable="YES" postgrey_enable="YES" lighttpd_enable="YES" lighttpd2_enable="YES" lighttpd2_conf="/usr/local/etc/lighttpd2.conf" /etc/pf.conf: ------------- ext_if="tun0" internal_net="192.168.254.0/24" tcp_services="{ 25, 80, XXXXXXXXXXXX }" icmp_types="echoreq" table persist { XXXXXXXXXXXXXXXX } set block-policy drop set loginterface $ext_if scrub in all # NAT stuff clipped # rdr pass on $ext_if proto tcp from any to any port XXXX # -> N.N.N.N port YYYY block in log on $ext_if all pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services flags S/SA keep state # pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy # flags S/SA keep state pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state # More rules clipped Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/