Re: 8.2-RELEASE pf rules not loading
On Fri, 25 Feb 2011 17:31, freebsd@ wrote:
> On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote:
>> On 25/02/2011 17:35, Josh Carroll wrote:
>>>> Hi All,
>>>> Just upgraded my home machine to 8.2-RELEASE via
>>>> freebsd-update remotely (spare time at work.) and on reboot my pf
>>>> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
>>>> does start it fine though. Any suggestions on debugging or shall i just
>>>> try a verbose boot and watch the console when I get home?
>>>> I still have
>>>>
>>>> pf_enable="YES" # Set to YES to enable packet filter (pf)
>>>> pflog_enable="YES" # Set to YES to enable packet filter
>>>> logging
>>>>
>>>> in /etc/rc.conf
>>> Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
>>>
>>> ifconfig_<ifacename>="DHCP"
>>>
>>> to
>>>
>>> ifconfig_<ifacename>="SYNCDHCP"
>>>
>>> It's possible the network hasn't come up properly yet or there is no
>>> IP assigned.
>>>
>>> Failing that, you can set:
>>>
>>> rc_debug="YES"
>>>
>>> in rc.conf then watch at boot time if there are any odd messages when
>>> it attempts to start pf.
>>>
>> It turns out that its sort of related to this. I have an IPv6 tunnel
>> from H.E. (tunnelbroker.net) and from looking at the boot output, it
>> looks like the IPv6 addresses (for any of my imterfaces) aren't applied
>> until after pf starts. I'd say this is a bug, Oddly this didnt happen
>> for the release candidate I tried, although I think I may have modified
>> my rules and not rebooted until I upgraded.
>> the rules in question are:
>>
>> pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
>> keep state
>> and
>> pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
>> $sf_tcp
>> (ext_if = "ue0")
>>
>> I'll try changing $ext_if to the ipv6 address and see if that helps.
>
> Please look at pf.conf(5) and search for the word "parentheses" (should
> be under the "from x to x" section. This might resolve your problem.
>
>
Adding to this and as someone else has already advised in a different way
is to use synchronous_dhclient="YES" in rc.conf(5) will most likely result
in your rules loading properly.
--
jhell
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 7 之 8 篇):