On 6/4/07, Volker <[EMAIL PROTECTED]> wrote:
without seeing your pf.conf ruleset,
happy to send/post if required/helpful ...
I guess you're using a ppp
connection to your upstream provider and firewalling on the tunX
interface (using tun0 as $ext_if).
you're absolutely correct here.
As FreeBSD boots up, this interface does not yet exist when pf is
loaded.
clear.
As soon as ppp is loaded and interface tun0 has been created,
pf will happily load your ruleset.
aha. does that suggest that i'm simply not waiting long enough? your
following comments suggest otherwise, iiuc, that i need to proactively
_do_ something different ...
The solution is to either have pf rules loaded late (later than ppp is
started)
clearly, simply including pf-related items in rc.conf after
pppoe-related items is not sufficient.
i'll take a look at "rcorder" ... which i wasn't aware of at all. thanks!
or use anchors and load ext rules into the anchor when the
ppp interface is up.
i hadn't thought of using anchors in this fashion.
i'm off to google, but any good examples you can reference?
The easier is to have the rules loading late
(check using rcorder) but this may also fail if something goes wrong
with ppp.
i /thought/ i'd dealt with the intfc/ppo/pf ordering issue, configuring,
cat /etc/ppp/ppp.linkup
------------------------------------
ppp1:
! sh -c "/sbin/pfctl -ef /usr/local/etc/pf/pf.conf"
!bg sh -c "echo `/bin/date` `/etc/bin/ip` ppp.linkup >>
/etc/ppp/log"
------------------------------------
cat /etc/ppp/ppp.linkdown
------------------------------------
ppp1:
!bg route delete HISADDR ppp1
!bg pfctl -F all -d
------------------------------------
cat /etc/ppp/ppp.conf
------------------------------------
default:
set device PPPoE:sis1:
set speed sync
set ctsrts off
set dial
set login
set cd 10
set timeout 0
set redial 0 0
enable lqr
set lqrperiod 20
set log Phase tun command
add default HISADDR
enable tcpmssfixup
disable dns
ppp1:
set authname [EMAIL PROTECTED]
set authkey ############
set MRU 1492
set MTU 1492
------------------------------------
are these NOT supposed to address/solve the problem? or are the configs wrong?
Mikhail Goriachev <[EMAIL PROTECTED]>
Just a shot in the dark. You are probably putting hostnames in your
pf.conf instead of IPs. PF starts before Bind. So it can't resolve
hostnames in the rules and hence doesn't start.
heh. a good call, but, i'd already made THAT mistake a month or so ago. ;-)
thanks though!
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
