Date: Tue, 13 Feb 2007 12:43:39 -0500 From: "Dan Langille" <dan@langille.org> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf starts, but no rules Message-ID: <45D1B27B.5615.291E28A7@dan.langille.org> In-Reply-To: <200702131321.18333.max@love2party.net> References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702131321.18333.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13 Feb 2007 at 13:21, Max Laier wrote: > On Saturday 10 February 2007 22:05, Dan Langille wrote: > > Hi folks, > > > > Yesterday I rebooted a server to load a new kernel. After the > > reboot, the firewall rules were not loaded. > > > > $ grep pf /etc/rc.conf > > pf_enable="YES" > > pflog_enable="YES" > > pf_rules="/etc/pf.rules" > > > > I never checked for the rules until today and found this: > > > > > > > > [dan@nyi:~] $ sudo pfctl -sa | less > > Password: > > No ALTQ support in kernel > > ALTQ related functions disabled > > FILTER RULES: > > > > INFO: > > Status: Enabled for 0 days 19:59:39 Debug: None > > > > Hostid: 0x36eae8cf > > > > State Table Total Rate > > current entries 0 > > searches 5515422 76.6/s > > > > etc... > > > > Loading the rules manually works: > > > > [dan@nyi:~] $ sudo pfctl -f /etc/pf.rules > > No ALTQ support in kernel > > ALTQ related functions disabled > > [dan@nyi:~] $ > > > > After loading, pfctl -sa shows the output I would expect. > > > > Ideas? Suggestions? > > > > Is anyone else using PF with a pf_rules specified? > > > > FWIW, I notice I have one host identified by FQDN in my rules. > > Check "dmesg -a" for error messages. The FQDN is indeed one possible > cause. Other causes include dynamically created interfaces used in "set > loginterface" or "set skip on" or as an address, but not surrounded > with "()". > > One possible sollution that has been suggested would be to use a simple > deny all but ssh/dns ruleset in the first stage and load the real ruleset > once all interfaces are there and the resolver is working. I'm willing > to commit patches, though this is probably something best discussed on > freebsd-rc@ Noted. Agreed.. But personally, if I cannot reproduce it here, it's hard for me to test I have a fix. ;) My plan to was to empty the table of the FQDN, then add the FQDN into the table with an rc script later in thr process. I don't really want to test this on the production machine. I'll keep trying to reproduce it as I get the chance. -- Dan Langille : Software Developer looking for work my resume: http://www.freebsddiary.org/dan_langille.php PGCon - The PostgreSQL Conference - http://www.pgcon.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45D1B27B.5615.291E28A7>