From owner-freebsd-pf@FreeBSD.ORG Sat Feb 10 21:53:30 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4DA8916A400 for ; Sat, 10 Feb 2007 21:53:30 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id DCC9613C442 for ; Sat, 10 Feb 2007 21:53:29 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so1489293nfc for ; Sat, 10 Feb 2007 13:53:28 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Gi5OrIpvSbRqIyfgep/fv/4PGiDepDfrUSAUO0WP6ljyj8xyVfqDgT9mIwLjDzdV8t2M5xv9BwygG7hj+jYzjpweQLD2Vk5LoZG51pf3dXAqRes6SjXSxg2dMaWVm7wmxLgFwrfeyWctYuzMB/SHiFMV9DrMH+gBf4qV/E27uak= Received: by 10.82.113.6 with SMTP id l6mr6451937buc.1171144408452; Sat, 10 Feb 2007 13:53:28 -0800 (PST) Received: by 10.82.150.17 with HTTP; Sat, 10 Feb 2007 13:53:28 -0800 (PST) Message-ID: Date: Sat, 10 Feb 2007 13:53:28 -0800 From: "Kian Mohageri" To: "Dan Langille" In-Reply-To: <45CDED58.2056.1A642A00@dan.langille.org> MIME-Version: 1.0 References: <45CDED58.2056.1A642A00@dan.langille.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Feb 2007 21:53:30 -0000 On 2/10/07, Dan Langille wrote: > > Hi folks, > > Yesterday I rebooted a server to load a new kernel. After the > reboot, the firewall rules were not loaded. > > $ grep pf /etc/rc.conf > pf_enable="YES" > pflog_enable="YES" > pf_rules="/etc/pf.rules" > > I never checked for the rules until today and found this: > > > > [dan@nyi:~] $ sudo pfctl -sa | less > Password: > No ALTQ support in kernel > ALTQ related functions disabled > FILTER RULES: > > INFO: > Status: Enabled for 0 days 19:59:39 Debug: None > > Hostid: 0x36eae8cf > > State Table Total Rate > current entries 0 > searches 5515422 76.6/s > > etc... > > Loading the rules manually works: > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > No ALTQ support in kernel > ALTQ related functions disabled > [dan@nyi:~] $ > > After loading, pfctl -sa shows the output I would expect. > > Ideas? Suggestions? > > Is anyone else using PF with a pf_rules specified? > > FWIW, I notice I have one host identified by FQDN in my rules. I had this problem as well, and it is because at the time the pf rules are loaded, the FQDN cannot be resolved. I believe that is because of the "BEFORE: routing" dependency in /etc/rc.d/pf. -- Kian Mohageri