From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 00:46:18 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13B1816A400 for ; Tue, 13 Feb 2007 00:46:18 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id EF90E13C494 for ; Tue, 13 Feb 2007 00:46:17 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 68B5E17026; Mon, 12 Feb 2007 16:46:17 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V+HIDWi4a2-1; Mon, 12 Feb 2007 16:46:13 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id 376B717020; Mon, 12 Feb 2007 16:46:13 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id D742EB8CE; Mon, 12 Feb 2007 19:46:12 -0500 (EST) From: "Dan Langille" To: "Kian Mohageri" Date: Mon, 12 Feb 2007 19:46:12 -0500 MIME-Version: 1.0 Message-ID: <45D0C404.27182.257AAE28@dan.langille.org> Priority: normal In-reply-to: References: <45CDED58.2056.1A642A00@dan.langille.org>, X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 00:46:18 -0000 On 10 Feb 2007 at 13:53, Kian Mohageri wrote: > On 2/10/07, Dan Langille wrote: > > > > Hi folks, > > > > Yesterday I rebooted a server to load a new kernel. After the > > reboot, the firewall rules were not loaded. > > > > $ grep pf /etc/rc.conf > > pf_enable="YES" > > pflog_enable="YES" > > pf_rules="/etc/pf.rules" > > > > I never checked for the rules until today and found this: > > > > > > > > [dan@nyi:~] $ sudo pfctl -sa | less > > Password: > > No ALTQ support in kernel > > ALTQ related functions disabled > > FILTER RULES: > > > > INFO: > > Status: Enabled for 0 days 19:59:39 Debug: None > > > > Hostid: 0x36eae8cf > > > > State Table Total Rate > > current entries 0 > > searches 5515422 76.6/s > > > > etc... > > > > Loading the rules manually works: > > > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > > No ALTQ support in kernel > > ALTQ related functions disabled > > [dan@nyi:~] $ > > > > After loading, pfctl -sa shows the output I would expect. > > > > Ideas? Suggestions? > > > > Is anyone else using PF with a pf_rules specified? > > > > FWIW, I notice I have one host identified by FQDN in my rules. > > > > I had this problem as well, and it is because at the time the pf rules are > loaded, the FQDN cannot be resolved. I believe that is because of the > "BEFORE: routing" dependency in /etc/rc.d/pf. Interesting... I just tried to reproduce the problem on a test server, and was unable to. I'll keep trying. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/