Re: pf rules not being loaded during boot on 7.1-PRERELEASE
On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote:[color=blue]
> I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE. I
> rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no
> rules got loaded during boot, despite pf itself having been enabled:
>
> router# pfctl -s rules
> router# pfctl -e -f /etc/pf.conf
> pfctl: pf already enabled
> [connection is closed due to new rules being loaded]
> router# pfctl -s rules
> scrub in all fragment reassemble
> [... lots of rules listed]
>
> Has anyone else seen this problem, or have I just missed something
> that's changed between 7.0 and 7.1 in the way pf works?[/color]
I was seeing something similar on my own box which I just upgraded from
a 150-day-old RELENG_6 to present RELENG_6. pfctl -s rules output no
rules. pfctl -s info showed packet counters, but no interface stats
(due to the rules not being loaded, e.g. no loginterface).
kldstat showed pflog.ko and pf.ko loaded.
If I did /etc/rc.d/pf start, the rules would loaded, and everything
starts working as expected.
I rebooted the box and saw the following on serial console, which I'm
pretty sure is what's responsible for the breakage:
Enabling pf.
Oct 3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received
cannot determine interface bandwidth for bge0, specify an absolute
bandwidth
altq not defined on bge0
altq not defined on bge0
/conf/ME/pf.conf:52: errors in queue definition
altq not defined on bge0
/conf/ME/pf.conf:53: errors in queue definition
altq not defined on bge0
/conf/ME/pf.conf:54: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded
pf enabled
I'd recommend you check your kernel console log on boot-up and see if
anything is showing up there. I'm about to go digging to find out
what's wrong with my ALTQ rules.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking [url]http://www.parodius.com/[/url] |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
_______________________________________________
[email]freebsd-stable@freebsd.org[/email] mailing list
[url]http://lists.freebsd.org/mailman/listinfo/freebsd-stable[/url]
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Re: pf rules not being loaded during boot on 7.1-PRERELEASE
On 10/04/08 01:22, Bruce Cran wrote:[color=blue]
> On Sat, 04 Oct 2008 00:40:45 +0200
> Volker <volker@vwsoft.com> wrote:[color=green]
>> You seem to have a rule like:
>>
>> pass ... on tun0 from any to tun0 ...
>>
>> If you change that into:
>>
>> pass ... on tun0 from any to (tun0) ...
>>
>> pf will happily parse your rules and activate your firewall even while
>> tun0 does not already have an IP address. You may also try to use
>> rules naming an interface family instead of a single interface.[/color]
>
> You're right - I mostly used lines with (tun0) but line 45 didn't have
> the brackets. I've just added them, rebooted and pf loaded the rules
> during boot.
>[/color]
Well, sometimes my crystal ball works ;)
_______________________________________________
[email]freebsd-stable@freebsd.org[/email] mailing list
[url]http://lists.freebsd.org/mailman/listinfo/freebsd-stable[/url]
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
