From owner-freebsd-stable@FreeBSD.ORG Fri Feb 25 22:31:22 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6023E1065672 for ; Fri, 25 Feb 2011 22:31:22 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta02.emeryville.ca.mail.comcast.net (qmta02.emeryville.ca.mail.comcast.net [76.96.30.24]) by mx1.freebsd.org (Postfix) with ESMTP id 41A368FC0A for ; Fri, 25 Feb 2011 22:31:21 +0000 (UTC) Received: from omta07.emeryville.ca.mail.comcast.net ([76.96.30.59]) by qmta02.emeryville.ca.mail.comcast.net with comcast id CNTS1g0061GXsucA2NXMq6; Fri, 25 Feb 2011 22:31:21 +0000 Received: from koitsu.dyndns.org ([98.248.33.18]) by omta07.emeryville.ca.mail.comcast.net with comcast id CNXK1g00R0PUQVN8UNXLYS; Fri, 25 Feb 2011 22:31:20 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 9A0A29B422; Fri, 25 Feb 2011 14:31:19 -0800 (PST) Date: Fri, 25 Feb 2011 14:31:19 -0800 From: Jeremy Chadwick To: Vincent Hoffman Message-ID: <20110225223119.GA13109@icarus.home.lan> References: <4D67E2BC.6070202@unsane.co.uk> <4D682BFE.9050702@unsane.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D682BFE.9050702@unsane.co.uk> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-stable@freebsd.org Subject: Re: 8.2-RELEASE pf rules not loading X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Feb 2011 22:31:22 -0000 On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote: > On 25/02/2011 17:35, Josh Carroll wrote: > >> Hi All, > >> Just upgraded my home machine to 8.2-RELEASE via > >> freebsd-update remotely (spare time at work.) and on reboot my pf > >> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted > >> does start it fine though. Any suggestions on debugging or shall i just > >> try a verbose boot and watch the console when I get home? > >> I still have > >> > >> pf_enable="YES" # Set to YES to enable packet filter (pf) > >> pflog_enable="YES" # Set to YES to enable packet filter > >> logging > >> > >> in /etc/rc.conf > > Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: > > > > ifconfig_="DHCP" > > > > to > > > > ifconfig_="SYNCDHCP" > > > > It's possible the network hasn't come up properly yet or there is no > > IP assigned. > > > > Failing that, you can set: > > > > rc_debug="YES" > > > > in rc.conf then watch at boot time if there are any odd messages when > > it attempts to start pf. > > > It turns out that its sort of related to this. I have an IPv6 tunnel > from H.E. (tunnelbroker.net) and from looking at the boot output, it > looks like the IPv6 addresses (for any of my imterfaces) aren't applied > until after pf starts. I'd say this is a bug, Oddly this didnt happen > for the release candidate I tried, although I think I may have modified > my rules and not rebooted until I upgraded. > the rules in question are: > > pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services > keep state > and > pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services > $sf_tcp > (ext_if = "ue0") > > I'll try changing $ext_if to the ipv6 address and see if that helps. Please look at pf.conf(5) and search for the word "parentheses" (should be under the "from x to x" section. This might resolve your problem. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB |