pf starts, but no rules

Dan Langille dan at langille.org
Tue Feb 13 17:43:47 UTC 2007 

On 13 Feb 2007 at 13:21, Max Laier wrote:

> On Saturday 10 February 2007 22:05, Dan Langille wrote:
> > Hi folks,
> >
> > Yesterday I rebooted a server to load a new kernel.  After the
> > reboot, the firewall rules were not loaded.
> >
> > $ grep pf /etc/rc.conf
> > pf_enable="YES"
> > pflog_enable="YES"
> > pf_rules="/etc/pf.rules"
> >
> > I never checked for the rules until today and found this:
> >
> >
> >
> > [dan at nyi:~] $ sudo pfctl -sa | less
> > Password:
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> > FILTER RULES:
> >
> > INFO:
> > Status: Enabled for 0 days 19:59:39             Debug: None
> >
> > Hostid: 0x36eae8cf
> >
> > State Table                          Total             Rate
> >   current entries                        0
> >   searches                         5515422           76.6/s
> >
> > etc...
> >
> > Loading the rules manually works:
> >
> > [dan at nyi:~] $ sudo pfctl -f /etc/pf.rules
> > No ALTQ support in kernel
> > ALTQ related functions disabled
> > [dan at nyi:~] $
> >
> > After loading, pfctl -sa shows the output I would expect.
> >
> > Ideas?  Suggestions?
> >
> > Is anyone else using PF with a pf_rules specified?
> >
> > FWIW, I notice I have one host identified by FQDN in my rules.
> 
> Check "dmesg -a" for error messages.  The FQDN is indeed one possible 
> cause.  Other causes include dynamically created interfaces used in "set 
> loginterface" or "set skip on" or as an address, but not surrounded 
> with "()".
> 
> One possible sollution that has been suggested would be to use a simple 
> deny all but ssh/dns ruleset in the first stage and load the real ruleset 
> once all interfaces are there and the resolver is working.  I'm willing 
> to commit patches, though this is probably something best discussed on 
> freebsd-rc@

Noted.  Agreed..

But personally, if I cannot reproduce it here, it's hard for me to 
test I have a fix.  ;)  My plan to was to empty the table of the 
FQDN, then add the FQDN into the table with an rc script later in thr 
process.  I don't really want to test this on the production machine. 
 I'll keep trying to reproduce it as I get the chance.

-- 
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php
PGCon - The PostgreSQL Conference - http://www.pgcon.org/

More information about the freebsd-pf mailing list