From owner-freebsd-current@FreeBSD.ORG  Fri Sep  4 20:11:33 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 473BC106568D
	for <freebsd-current@freebsd.org>; Fri,  4 Sep 2009 20:11:33 +0000 (UTC)
	(envelope-from cjk@home.kreklow.us)
Received: from srv.home.kreklow.us
	(cjkreklow-1-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:59f::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 243A58FC19
	for <freebsd-current@freebsd.org>; Fri,  4 Sep 2009 20:11:33 +0000 (UTC)
Received: by srv.home.kreklow.us (Postfix, from userid 1000)
	id 4B5492D1468E; Fri,  4 Sep 2009 15:11:32 -0500 (CDT)
Date: Fri, 4 Sep 2009 15:11:32 -0500
From: Collin Kreklow <cjk@home.kreklow.us>
To: freebsd-current@freebsd.org
Message-ID: <20090904201132.GA17378@srv.home.kreklow.us>
References: <20090904165930.GA4160@alucard.int.rhavenn.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20090904165930.GA4160@alucard.int.rhavenn.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: PF rules not loading
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2009 20:11:33 -0000

On Fri, Sep 04, 2009 at 08:59:30AM -0800, Henrik Hudson wrote:
> Hey List,
> 
> I just finishing supping to 8-BETA3 and after a reboot I noticed
> that my PF rules weren't loading and hence NAT wasn't working for
> internal clients, not to mention no firewall :)
> 
> This might not be specific to BETA3, but it's the first time I
> noticed it concretely. I did have a power outage last week where
> after a poweron I had to run pfctl -f /etc/pf.conf to get NAT working
> again. This was under BETA2.

At the time when the pf script runs during boot, all the network
interfaces may not be fully configured.  It is likely that your pf.conf
includes rules that pf can't calculate because one or more network
interfaces are not yet configured.  I had to change my pf.conf to
hard-code the IP ranges instead of using :network to get my rules to
load on boot.  Also make sure your script is using (xl0) where
appropriate.

- Collin