Re: pf rules not being loaded during boot on 7.1-PRERELEASE - FreeBSD

This is a discussion on Re: pf rules not being loaded during boot on 7.1-PRERELEASE - FreeBSD ; On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote: > I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE. I > rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no > rules got loaded during boot, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: pf rules not being loaded during boot on 7.1-PRERELEASE

  1. Re: pf rules not being loaded during boot on 7.1-PRERELEASE

    On Thu, Oct 02, 2008 at 09:57:55PM +0100, Bruce Cran wrote:
    > I recently upgraded my i386 router from 7.0 to 7.1-PRERELEASE. I
    > rebooted it today but despite pf_enable="YES" being in /etc/rc.conf no
    > rules got loaded during boot, despite pf itself having been enabled:
    >
    > router# pfctl -s rules
    > router# pfctl -e -f /etc/pf.conf
    > pfctl: pf already enabled
    > [connection is closed due to new rules being loaded]
    > router# pfctl -s rules
    > scrub in all fragment reassemble
    > [... lots of rules listed]
    >
    > Has anyone else seen this problem, or have I just missed something
    > that's changed between 7.0 and 7.1 in the way pf works?


    I was seeing something similar on my own box which I just upgraded from
    a 150-day-old RELENG_6 to present RELENG_6. pfctl -s rules output no
    rules. pfctl -s info showed packet counters, but no interface stats
    (due to the rules not being loaded, e.g. no loginterface).

    kldstat showed pflog.ko and pf.ko loaded.

    If I did /etc/rc.d/pf start, the rules would loaded, and everything
    starts working as expected.

    I rebooted the box and saw the following on serial console, which I'm
    pretty sure is what's responsible for the breakage:

    Enabling pf.
    Oct 3 04:14:51 pflogd[374]: [priv]: msg PRIV_OPEN_LOG received
    cannot determine interface bandwidth for bge0, specify an absolute
    bandwidth
    altq not defined on bge0
    altq not defined on bge0
    /conf/ME/pf.conf:52: errors in queue definition
    altq not defined on bge0
    /conf/ME/pf.conf:53: errors in queue definition
    altq not defined on bge0
    /conf/ME/pf.conf:54: errors in queue definition
    pfctl: Syntax error in config file: pf rules not loaded
    pf enabled

    I'd recommend you check your kernel console log on boot-up and see if
    anything is showing up there. I'm about to go digging to find out
    what's wrong with my ALTQ rules.

    --
    | Jeremy Chadwick jdc at parodius.com |
    | Parodius Networking http://www.parodius.com/ |
    | UNIX Systems Administrator Mountain View, CA, USA |
    | Making life hard for others since 1977. PGP: 4BD6C0CB |

    _______________________________________________
    freebsd-stable@freebsd.org mailing list
    http://lists.freebsd.org/mailman/lis...freebsd-stable
    To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"


  2. Re: pf rules not being loaded during boot on 7.1-PRERELEASE

    On 10/04/08 01:22, Bruce Cran wrote:
    > On Sat, 04 Oct 2008 00:40:45 +0200
    > Volker wrote:
    >> You seem to have a rule like:
    >>
    >> pass ... on tun0 from any to tun0 ...
    >>
    >> If you change that into:
    >>
    >> pass ... on tun0 from any to (tun0) ...
    >>
    >> pf will happily parse your rules and activate your firewall even while
    >> tun0 does not already have an IP address. You may also try to use
    >> rules naming an interface family instead of a single interface.

    >
    > You're right - I mostly used lines with (tun0) but line 45 didn't have
    > the brackets. I've just added them, rebooted and pf loaded the rules
    > during boot.
    >


    Well, sometimes my crystal ball works
    _______________________________________________
    freebsd-stable@freebsd.org mailing list
    http://lists.freebsd.org/mailman/lis...freebsd-stable
    To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"


+ Reply to Thread