pf starts, but no rules

Max Laier max at love2party.net
Tue Feb 13 12:21:43 UTC 2007 

On Saturday 10 February 2007 22:05, Dan Langille wrote:
> Hi folks,
>
> Yesterday I rebooted a server to load a new kernel.  After the
> reboot, the firewall rules were not loaded.
>
> $ grep pf /etc/rc.conf
> pf_enable="YES"
> pflog_enable="YES"
> pf_rules="/etc/pf.rules"
>
> I never checked for the rules until today and found this:
>
>
>
> [dan at nyi:~] $ sudo pfctl -sa | less
> Password:
> No ALTQ support in kernel
> ALTQ related functions disabled
> FILTER RULES:
>
> INFO:
> Status: Enabled for 0 days 19:59:39             Debug: None
>
> Hostid: 0x36eae8cf
>
> State Table                          Total             Rate
>   current entries                        0
>   searches                         5515422           76.6/s
>
> etc...
>
> Loading the rules manually works:
>
> [dan at nyi:~] $ sudo pfctl -f /etc/pf.rules
> No ALTQ support in kernel
> ALTQ related functions disabled
> [dan at nyi:~] $
>
> After loading, pfctl -sa shows the output I would expect.
>
> Ideas?  Suggestions?
>
> Is anyone else using PF with a pf_rules specified?
>
> FWIW, I notice I have one host identified by FQDN in my rules.

Check "dmesg -a" for error messages.  The FQDN is indeed one possible 
cause.  Other causes include dynamically created interfaces used in "set 
loginterface" or "set skip on" or as an address, but not surrounded 
with "()".

One possible sollution that has been suggested would be to use a simple 
deny all but ssh/dns ruleset in the first stage and load the real ruleset 
once all interfaces are there and the resolver is working.  I'm willing 
to commit patches, though this is probably something best discussed on 
freebsd-rc@

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070213/b1ff0259/attachment.pgp

More information about the freebsd-pf mailing list