Date: Fri, 25 Feb 2011 14:31:19 -0800 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Vincent Hoffman <vince@unsane.co.uk> Cc: freebsd-stable@freebsd.org Subject: Re: 8.2-RELEASE pf rules not loading Message-ID: <20110225223119.GA13109@icarus.home.lan> In-Reply-To: <4D682BFE.9050702@unsane.co.uk> References: <4D67E2BC.6070202@unsane.co.uk> <AANLkTin9ZHd%2BABKm6Z_ek9QD1CVKmb9W-bRe2ZRYj1pn@mail.gmail.com> <4D682BFE.9050702@unsane.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote: > On 25/02/2011 17:35, Josh Carroll wrote: > >> Hi All, > >> Just upgraded my home machine to 8.2-RELEASE via > >> freebsd-update remotely (spare time at work.) and on reboot my pf > >> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted > >> does start it fine though. Any suggestions on debugging or shall i just > >> try a verbose boot and watch the console when I get home? > >> I still have > >> > >> pf_enable="YES" # Set to YES to enable packet filter (pf) > >> pflog_enable="YES" # Set to YES to enable packet filter > >> logging > >> > >> in /etc/rc.conf > > Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: > > > > ifconfig_<ifacename>="DHCP" > > > > to > > > > ifconfig_<ifacename>="SYNCDHCP" > > > > It's possible the network hasn't come up properly yet or there is no > > IP assigned. > > > > Failing that, you can set: > > > > rc_debug="YES" > > > > in rc.conf then watch at boot time if there are any odd messages when > > it attempts to start pf. > > > It turns out that its sort of related to this. I have an IPv6 tunnel > from H.E. (tunnelbroker.net) and from looking at the boot output, it > looks like the IPv6 addresses (for any of my imterfaces) aren't applied > until after pf starts. I'd say this is a bug, Oddly this didnt happen > for the release candidate I tried, although I think I may have modified > my rules and not rebooted until I upgraded. > the rules in question are: > > pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services > keep state > and > pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services > $sf_tcp > (ext_if = "ue0") > > I'll try changing $ext_if to the ipv6 address and see if that helps. Please look at pf.conf(5) and search for the word "parentheses" (should be under the "from x to x" section. This might resolve your problem. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110225223119.GA13109>