From owner-freebsd-questions@FreeBSD.ORG Tue Jun 5 02:40:10 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9424216A400 for ; Tue, 5 Jun 2007 02:40:10 +0000 (UTC) (envelope-from fbsd06@mlists.homeunix.com) Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178]) by mx1.freebsd.org (Postfix) with ESMTP id 6E56213C45A for ; Tue, 5 Jun 2007 02:40:10 +0000 (UTC) (envelope-from fbsd06@mlists.homeunix.com) Received: from gumby.homeunix.com. (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id 4ECE551927 for ; Mon, 4 Jun 2007 22:40:09 -0400 (EDT) Date: Tue, 5 Jun 2007 03:40:06 +0100 From: RW To: freebsd-questions@freebsd.org Message-ID: <20070605034006.030f188f@gumby.homeunix.com.> In-Reply-To: <46648172.3060307@vwsoft.com> References: <70f41ba20706041403q1d51ac75jee625130ea4ed10@mail.gmail.com> <46648172.3060307@vwsoft.com> X-Mailer: Claws Mail 2.9.2 (GTK+ 2.10.12; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: fbsd 6.2 pf starts -- but not on boot X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 02:40:10 -0000 On Mon, 04 Jun 2007 23:17:38 +0200 Volker wrote: > without seeing your pf.conf ruleset, I guess you're using a ppp > connection to your upstream provider and firewalling on the tunX > interface (using tun0 as $ext_if). > > As FreeBSD boots up, this interface does not yet exist when pf is > loaded. As soon as ppp is loaded and interface tun0 has been created, > pf will happily load your ruleset. > > The solution is to either have pf rules loaded late (later than ppp is > started) or use anchors and load ext rules into the anchor when the > ppp interface is up. The easier is to have the rules loading late > (check using rcorder) but this may also fail if something goes wrong > with ppp. The ppp rc.d script resyncs pf and ipfilter, to pick-up new interfaces, so that shouldn't be needed.