From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 12:21:43 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B200A16A407 for ; Tue, 13 Feb 2007 12:21:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 414AE13C48E for ; Tue, 13 Feb 2007 12:21:43 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.18.21] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1HGwf212M3-0002av; Tue, 13 Feb 2007 13:21:29 +0100 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 13 Feb 2007 13:21:08 +0100 User-Agent: KMail/1.9.5 References: <45CDED58.2056.1A642A00@dan.langille.org> In-Reply-To: <45CDED58.2056.1A642A00@dan.langille.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3854547.1VjC9hEsdI"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200702131321.18333.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Provags-ID2: V01U2FsdGVkX1+kT0OESDJm9SuCL3tZ/nF+ApeipeYsa42lOltBK3ykHfoSxaXVdi4JrrGIA0ccu9fAJt5BfASFsqdW1ZiJhYGn8rNIVxMqCM+Gfi1zCbfptw== Cc: Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 12:21:43 -0000 --nextPart3854547.1VjC9hEsdI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 10 February 2007 22:05, Dan Langille wrote: > Hi folks, > > Yesterday I rebooted a server to load a new kernel. After the > reboot, the firewall rules were not loaded. > > $ grep pf /etc/rc.conf > pf_enable=3D"YES" > pflog_enable=3D"YES" > pf_rules=3D"/etc/pf.rules" > > I never checked for the rules until today and found this: > > > > [dan@nyi:~] $ sudo pfctl -sa | less > Password: > No ALTQ support in kernel > ALTQ related functions disabled > FILTER RULES: > > INFO: > Status: Enabled for 0 days 19:59:39 Debug: None > > Hostid: 0x36eae8cf > > State Table Total Rate > current entries 0 > searches 5515422 76.6/s > > etc... > > Loading the rules manually works: > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > No ALTQ support in kernel > ALTQ related functions disabled > [dan@nyi:~] $ > > After loading, pfctl -sa shows the output I would expect. > > Ideas? Suggestions? > > Is anyone else using PF with a pf_rules specified? > > FWIW, I notice I have one host identified by FQDN in my rules. Check "dmesg -a" for error messages. The FQDN is indeed one possible=20 cause. Other causes include dynamically created interfaces used in "set=20 loginterface" or "set skip on" or as an address, but not surrounded=20 with "()". One possible sollution that has been suggested would be to use a simple=20 deny all but ssh/dns ruleset in the first stage and load the real ruleset=20 once all interfaces are there and the resolver is working. I'm willing=20 to commit patches, though this is probably something best discussed on=20 freebsd-rc@ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3854547.1VjC9hEsdI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF0a0+XyyEoT62BG0RAqxzAJ9NVasSNpRtMCTVAFwpvgmArdH8ugCePYmn +mkm4ILkx/56JD86a8fi9Qo= =0rxD -----END PGP SIGNATURE----- --nextPart3854547.1VjC9hEsdI--