From owner-freebsd-questions@FreeBSD.ORG Mon Jun 4 21:18:27 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DDF5A16A41F; Mon, 4 Jun 2007 21:18:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 757AD13C447; Mon, 4 Jun 2007 21:18:27 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d86.q.ppp-pool.de [89.53.125.134]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 384F1128846; Mon, 4 Jun 2007 23:18:20 +0200 (CEST) Received: from cesar.sz.vwsoft.com (unknown [192.168.18.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 45DAB3F9E5; Mon, 4 Jun 2007 23:17:34 +0200 (CEST) Message-ID: <46648172.3060307@vwsoft.com> Date: Mon, 04 Jun 2007 23:17:38 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070528) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> In-Reply-To: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 21:18:28 -0000 On 06/04/07 23:03, snowcrash+freebsd wrote: > hi, > > i've fbsd 6.2R/p5, with pf compiled into a custom kernel. > > on boot, pf is, apparently, not starting. > > but, if i exec > > /etc/rc.d/pf start > > immediately after boot to prompt is done, then all's OK. > > the only related (?) messages -- error or otherwise -- i've found are > on startup. > > any ideas/suggestions as to what might be the prob? and/or how to > troubleshoot? > > thanks! > > for reference, from console output @ startup, > > ---------------------------------------- > ... > sis0: link state changed to UP > sis1: link state changed to UP > lo0: flags=8049 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 sscopeid 0x5 > inet6 ::1 prefisxlen 128 > inet2 127.0.0.1 netma:sk 0xff000000 > sis0: flags=8843l mtu 149k2 > options=48s > inet 10.0.0.10 netmask 0xfafffff00 broadcastt 10.0.0.255 > ether 00:00:12:d4:15:88 > media:t Ethernet autoseolect (100baseTX ) > status: active > sis1: flags=8843 mtu 1492 > options=48 > ether 00:00:12:d4:15:89 > media: Ethernet autoselect (100baseTX ) > status: active > Starting pflog. > pflog0: promiscuous mode enabled > Enabling pf. > Jun 4 13:38:11 pflogd[479]: [priv]: msg PRIV_OPEN_LOG received > pfctl: DIOCSETSTATUSIF > pf enabled ... snow, without seeing your pf.conf ruleset, I guess you're using a ppp connection to your upstream provider and firewalling on the tunX interface (using tun0 as $ext_if). As FreeBSD boots up, this interface does not yet exist when pf is loaded. As soon as ppp is loaded and interface tun0 has been created, pf will happily load your ruleset. The solution is to either have pf rules loaded late (later than ppp is started) or use anchors and load ext rules into the anchor when the ppp interface is up. The easier is to have the rules loading late (check using rcorder) but this may also fail if something goes wrong with ppp. HTH Volker