From owner-freebsd-questions@FreeBSD.ORG Mon Jun 4 22:37:26 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C74116A478 for ; Mon, 4 Jun 2007 22:37:26 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.232]) by mx1.freebsd.org (Postfix) with ESMTP id 252E713C480 for ; Mon, 4 Jun 2007 22:37:25 +0000 (UTC) (envelope-from schneecrash@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so855553wra for ; Mon, 04 Jun 2007 15:37:25 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=cj9Ko9PpBVr9m/wJRGgL7ND23G1mDF+TBc7RLWWn1srkCvaSm5dZABuvxmQCseqitvKyq9Elkht0tvkGlw5Kiyqo6Nr+oHHIdUKR+wMWpixnq4Pn5PleXm1Y4roLG/azYOm2prSGAW0tfO0A24P9H5pUBL6wSZmNka0JohwDV8g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=aAKoIjt9FJRzxtCKE4RoRRZgPUAIpxxEmX2DNL0f7i5o21ilJmyVJlDyP/vxFwBOz6JfZ/KggpP+J2xKifDjTFRL0RDsy84KiO265STxOhwYgBp6BkwkM17JVl6O43/a41NO85W7ve3fmAcaRwZqemkTrNm3mWzfp3nZxJgXsOs= Received: by 10.90.99.20 with SMTP id w20mr4345822agb.1180996645449; Mon, 04 Jun 2007 15:37:25 -0700 (PDT) Received: by 10.90.50.6 with HTTP; Mon, 4 Jun 2007 15:37:25 -0700 (PDT) Message-ID: <70f41ba20706041537laba6223v8c879e344d799052@mail.gmail.com> Date: Mon, 4 Jun 2007 15:37:25 -0700 From: snowcrash+freebsd Sender: schneecrash@gmail.com To: mikhailg@webanoide.org, volker@vwsoft.com In-Reply-To: <46648172.3060307@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> X-Google-Sender-Auth: 4fa25d414a177163 Cc: freebsd-questions@freebsd.org, freebsd-pf Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2007 22:37:26 -0000 On 6/4/07, Volker wrote: > without seeing your pf.conf ruleset, happy to send/post if required/helpful ... > I guess you're using a ppp > connection to your upstream provider and firewalling on the tunX > interface (using tun0 as $ext_if). you're absolutely correct here. > As FreeBSD boots up, this interface does not yet exist when pf is > loaded. clear. > As soon as ppp is loaded and interface tun0 has been created, > pf will happily load your ruleset. aha. does that suggest that i'm simply not waiting long enough? your following comments suggest otherwise, iiuc, that i need to proactively _do_ something different ... > The solution is to either have pf rules loaded late (later than ppp is > started) clearly, simply including pf-related items in rc.conf after pppoe-related items is not sufficient. i'll take a look at "rcorder" ... which i wasn't aware of at all. thanks! > or use anchors and load ext rules into the anchor when the > ppp interface is up. i hadn't thought of using anchors in this fashion. i'm off to google, but any good examples you can reference? > The easier is to have the rules loading late > (check using rcorder) but this may also fail if something goes wrong > with ppp. i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring, cat /etc/ppp/ppp.linkup ------------------------------------ ppp1: ! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf" !bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >> /etc/ppp/log" ------------------------------------ cat /etc/ppp/ppp.linkdown ------------------------------------ ppp1: !bg route delete HISADDR ppp1 !bg pfctl -F all -d ------------------------------------ cat /etc/ppp/ppp.conf ------------------------------------ default: set device PPPoE:sis1: set speed sync set ctsrts off set dial set login set cd 10 set timeout 0 set redial 0 0 enable lqr set lqrperiod 20 set log Phase tun command add default HISADDR enable tcpmssfixup disable dns ppp1: set authname me@myisp.com set authkey ############ set MRU 1492 set MTU 1492 ------------------------------------ are these NOT supposed to address/solve the problem? or are the configs wrong? Mikhail Goriachev > Just a shot in the dark. You are probably putting hostnames in your > pf.conf instead of IPs. PF starts before Bind. So it can't resolve > hostnames in the rules and hence doesn't start. heh. a good call, but, i'd already made THAT mistake a month or so ago. ;-) thanks though!