Date: Mon, 4 Jun 2007 15:37:25 -0700 From: snowcrash+freebsd <schneecrash+freebsd@gmail.com> To: mikhailg@webanoide.org, volker@vwsoft.com Cc: freebsd-questions@freebsd.org, freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: fbsd 6.2 pf starts -- but not on boot Message-ID: <70f41ba20706041537laba6223v8c879e344d799052@mail.gmail.com> In-Reply-To: <46648172.3060307@vwsoft.com> References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/4/07, Volker <volker@vwsoft.com> wrote: > without seeing your pf.conf ruleset, happy to send/post if required/helpful ... > I guess you're using a ppp > connection to your upstream provider and firewalling on the tunX > interface (using tun0 as $ext_if). you're absolutely correct here. > As FreeBSD boots up, this interface does not yet exist when pf is > loaded. clear. > As soon as ppp is loaded and interface tun0 has been created, > pf will happily load your ruleset. aha. does that suggest that i'm simply not waiting long enough? your following comments suggest otherwise, iiuc, that i need to proactively _do_ something different ... > The solution is to either have pf rules loaded late (later than ppp is > started) clearly, simply including pf-related items in rc.conf after pppoe-related items is not sufficient. i'll take a look at "rcorder" ... which i wasn't aware of at all. thanks! > or use anchors and load ext rules into the anchor when the > ppp interface is up. i hadn't thought of using anchors in this fashion. i'm off to google, but any good examples you can reference? > The easier is to have the rules loading late > (check using rcorder) but this may also fail if something goes wrong > with ppp. i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring, cat /etc/ppp/ppp.linkup ------------------------------------ ppp1: ! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf" !bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >> /etc/ppp/log" ------------------------------------ cat /etc/ppp/ppp.linkdown ------------------------------------ ppp1: !bg route delete HISADDR ppp1 !bg pfctl -F all -d ------------------------------------ cat /etc/ppp/ppp.conf ------------------------------------ default: set device PPPoE:sis1: set speed sync set ctsrts off set dial set login set cd 10 set timeout 0 set redial 0 0 enable lqr set lqrperiod 20 set log Phase tun command add default HISADDR enable tcpmssfixup disable dns ppp1: set authname me@myisp.com set authkey ############ set MRU 1492 set MTU 1492 ------------------------------------ are these NOT supposed to address/solve the problem? or are the configs wrong? Mikhail Goriachev <mikhailg@webanoide.org> > Just a shot in the dark. You are probably putting hostnames in your > pf.conf instead of IPs. PF starts before Bind. So it can't resolve > hostnames in the rules and hence doesn't start. heh. a good call, but, i'd already made THAT mistake a month or so ago. ;-) thanks though!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?70f41ba20706041537laba6223v8c879e344d799052>