Date: Tue, 13 Feb 2007 13:21:08 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules Message-ID: <200702131321.18333.max@love2party.net> In-Reply-To: <45CDED58.2056.1A642A00@dan.langille.org> References: <45CDED58.2056.1A642A00@dan.langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3854547.1VjC9hEsdI Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 10 February 2007 22:05, Dan Langille wrote: > Hi folks, > > Yesterday I rebooted a server to load a new kernel. After the > reboot, the firewall rules were not loaded. > > $ grep pf /etc/rc.conf > pf_enable=3D"YES" > pflog_enable=3D"YES" > pf_rules=3D"/etc/pf.rules" > > I never checked for the rules until today and found this: > > > > [dan@nyi:~] $ sudo pfctl -sa | less > Password: > No ALTQ support in kernel > ALTQ related functions disabled > FILTER RULES: > > INFO: > Status: Enabled for 0 days 19:59:39 Debug: None > > Hostid: 0x36eae8cf > > State Table Total Rate > current entries 0 > searches 5515422 76.6/s > > etc... > > Loading the rules manually works: > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > No ALTQ support in kernel > ALTQ related functions disabled > [dan@nyi:~] $ > > After loading, pfctl -sa shows the output I would expect. > > Ideas? Suggestions? > > Is anyone else using PF with a pf_rules specified? > > FWIW, I notice I have one host identified by FQDN in my rules. Check "dmesg -a" for error messages. The FQDN is indeed one possible=20 cause. Other causes include dynamically created interfaces used in "set=20 loginterface" or "set skip on" or as an address, but not surrounded=20 with "()". One possible sollution that has been suggested would be to use a simple=20 deny all but ssh/dns ruleset in the first stage and load the real ruleset=20 once all interfaces are there and the resolver is working. I'm willing=20 to commit patches, though this is probably something best discussed on=20 freebsd-rc@ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3854547.1VjC9hEsdI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF0a0+XyyEoT62BG0RAqxzAJ9NVasSNpRtMCTVAFwpvgmArdH8ugCePYmn +mkm4ILkx/56JD86a8fi9Qo= =0rxD -----END PGP SIGNATURE----- --nextPart3854547.1VjC9hEsdI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702131321.18333.max>