From owner-freebsd-current@FreeBSD.ORG Sun Jun 6 03:46:15 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB5C816A4CE for ; Sun, 6 Jun 2004 03:46:15 -0700 (PDT) Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id CDEF843D55 for ; Sun, 6 Jun 2004 03:46:14 -0700 (PDT) (envelope-from tomonage2@gmx.de) Received: (qmail 31639 invoked by uid 65534); 6 Jun 2004 10:46:13 -0000 Received: from pD9E77456.dip.t-dialin.net (EHLO [192.168.0.196]) (217.231.116.86) by mail.gmx.net (mp009) with SMTP; 06 Jun 2004 12:46:13 +0200 X-Authenticated: #7843803 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Sun, 06 Jun 2004 12:46:09 +0200 From: Jonathan Weiss To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Loading the PF ruleset fails due to ppp X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2004 10:46:16 -0000 Hi folks, I updated my 5.2.1 box to current today und changed from the PF-port to the new base-PF. Everything went fine, but when I rebooted the box, it hangs when samba was starting up. The problem was, that samba could not bind to its ports due to the default pf rulesset being loaded (only ssh-in is allowed). The problem originates in the fact, that I have a DSl modem and pppd connects on startup. Because I get only a dynamic IP, I use such statements in my ruleset : pass in on $tun_if inet proto tcp from any to ($tun_if) port 22 flags S/SA modulate state label The ($tun_if) gives me the current IP of the tun0-interface and this is often used by users with dynamic Ips. The problem is, that ppp is not fast enough for PF. PF is starting up before ppp gets an IP for tun0, so loading the ruleset fails. While using the PF-port, the time lag between starting ppp and PF was big enough, as PF was started whith the other third-party tools. With PF now in the basesystem, it is too fast for ppp. Inserting a "sleep 10" in the pf_start()-function in /etc/rc.d/pf solved my problem, as PF waits 10 seconds before loading the ruleset and ppp now gets the dynamic IP in time. Could we add the "sleep 10" or maybe a "sleep 5" in this function? I'm sure when current become 5.3 I'll be not alone with my problem. Greets, Jonathan Weiss