From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 17:43:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 635B216A402 for ; Tue, 13 Feb 2007 17:43:47 +0000 (UTC) (envelope-from dan@langille.org) Received: from supernews.unixathome.org (supernews.unixathome.org [216.168.29.4]) by mx1.freebsd.org (Postfix) with ESMTP id 538CC13C4AA for ; Tue, 13 Feb 2007 17:43:47 +0000 (UTC) (envelope-from dan@langille.org) Received: from localhost (localhost [127.0.0.1]) by supernews.unixathome.org (Postfix) with ESMTP id 1095517026; Tue, 13 Feb 2007 09:43:47 -0800 (PST) X-Virus-Scanned: amavisd-new at unixathome.org Received: from supernews.unixathome.org ([127.0.0.1]) by localhost (supernews.unixathome.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBGmK7kqdOic; Tue, 13 Feb 2007 09:43:39 -0800 (PST) Received: from bast.unixathome.org (bast.unixathome.org [74.104.199.163]) by supernews.unixathome.org (Postfix) with ESMTP id B9C6117020; Tue, 13 Feb 2007 09:43:39 -0800 (PST) Received: from [10.55.0.99] (wocker.unixathome.org [10.55.0.99]) by bast.unixathome.org (Postfix) with ESMTP id 5A9BFB84D; Tue, 13 Feb 2007 12:43:39 -0500 (EST) From: "Dan Langille" To: Max Laier Date: Tue, 13 Feb 2007 12:43:39 -0500 MIME-Version: 1.0 Message-ID: <45D1B27B.5615.291E28A7@dan.langille.org> Priority: normal In-reply-to: <200702131321.18333.max@love2party.net> References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702131321.18333.max@love2party.net> X-mailer: Pegasus Mail for Windows (4.41) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 17:43:47 -0000 On 13 Feb 2007 at 13:21, Max Laier wrote: > On Saturday 10 February 2007 22:05, Dan Langille wrote: > > Hi folks, > > > > Yesterday I rebooted a server to load a new kernel. After the > > reboot, the firewall rules were not loaded. > > > > $ grep pf /etc/rc.conf > > pf_enable="YES" > > pflog_enable="YES" > > pf_rules="/etc/pf.rules" > > > > I never checked for the rules until today and found this: > > > > > > > > [dan@nyi:~] $ sudo pfctl -sa | less > > Password: > > No ALTQ support in kernel > > ALTQ related functions disabled > > FILTER RULES: > > > > INFO: > > Status: Enabled for 0 days 19:59:39 Debug: None > > > > Hostid: 0x36eae8cf > > > > State Table Total Rate > > current entries 0 > > searches 5515422 76.6/s > > > > etc... > > > > Loading the rules manually works: > > > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > > No ALTQ support in kernel > > ALTQ related functions disabled > > [dan@nyi:~] $ > > > > After loading, pfctl -sa shows the output I would expect. > > > > Ideas? Suggestions? > > > > Is anyone else using PF with a pf_rules specified? > > > > FWIW, I notice I have one host identified by FQDN in my rules. > > Check "dmesg -a" for error messages. The FQDN is indeed one possible > cause. Other causes include dynamically created interfaces used in "set > loginterface" or "set skip on" or as an address, but not surrounded > with "()". > > One possible sollution that has been suggested would be to use a simple > deny all but ssh/dns ruleset in the first stage and load the real ruleset > once all interfaces are there and the resolver is working. I'm willing > to commit patches, though this is probably something best discussed on > freebsd-rc@ Noted. Agreed.. But personally, if I cannot reproduce it here, it's hard for me to test I have a fix. ;) My plan to was to empty the table of the FQDN, then add the FQDN into the table with an rc script later in thr process. I don't really want to test this on the production machine. I'll keep trying to reproduce it as I get the chance. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/