Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Feb 2007 13:21:08 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf starts, but no rules
Message-ID:  <200702131321.18333.max@love2party.net>
In-Reply-To: <45CDED58.2056.1A642A00@dan.langille.org>
References:  <45CDED58.2056.1A642A00@dan.langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Saturday 10 February 2007 22:05, Dan Langille wrote:
> Hi folks,
>
> Yesterday I rebooted a server to load a new kernel.  After the
> reboot, the firewall rules were not loaded.
>
> $ grep pf /etc/rc.conf
> pf_enable="YES"
> pflog_enable="YES"
> pf_rules="/etc/pf.rules"
>
> I never checked for the rules until today and found this:
>
>
>
> [dan@nyi:~] $ sudo pfctl -sa | less
> Password:
> No ALTQ support in kernel
> ALTQ related functions disabled
> FILTER RULES:
>
> INFO:
> Status: Enabled for 0 days 19:59:39             Debug: None
>
> Hostid: 0x36eae8cf
>
> State Table                          Total             Rate
>   current entries                        0
>   searches                         5515422           76.6/s
>
> etc...
>
> Loading the rules manually works:
>
> [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules
> No ALTQ support in kernel
> ALTQ related functions disabled
> [dan@nyi:~] $
>
> After loading, pfctl -sa shows the output I would expect.
>
> Ideas?  Suggestions?
>
> Is anyone else using PF with a pf_rules specified?
>
> FWIW, I notice I have one host identified by FQDN in my rules.

Check "dmesg -a" for error messages.  The FQDN is indeed one possible 
cause.  Other causes include dynamically created interfaces used in "set 
loginterface" or "set skip on" or as an address, but not surrounded 
with "()".

One possible sollution that has been suggested would be to use a simple 
deny all but ssh/dns ruleset in the first stage and load the real ruleset 
once all interfaces are there and the resolver is working.  I'm willing 
to commit patches, though this is probably something best discussed on 
freebsd-rc@

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBF0a0+XyyEoT62BG0RAqxzAJ9NVasSNpRtMCTVAFwpvgmArdH8ugCePYmn
+mkm4ILkx/56JD86a8fi9Qo=
=0rxD
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702131321.18333.max>