Re: 8.2-RELEASE pf rules not loading
On 25/02/2011 22:31, Jeremy Chadwick wrote: On Fri, Feb 25, 2011 at 10:23:58PM +, Vincent Hoffman wrote: On 25/02/2011 17:35, Josh Carroll wrote: Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf snip other stuff Please look at pf.conf(5) and search for the word parentheses (should be under the from x to x section. This might resolve your problem. Thanks, This did solve it. Slightly strange as its all statically set but at least I know now. Vince ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
8.2-RELEASE pf rules not loading
Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Regards, Vince ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: 8.2-RELEASE pf rules not loading
My pf related lines in rc.conf look like the following: pf_enable=YES pf_rules=/etc/pf.conf pflog_enable=YES pflog_logfile=/var/log/pflog pflog_flags= I do have a problem from time to time where the rules won't load, but that's usually because a DHCP interface has failed to come up and my rules aren't written exactly properly to allow for that. On Fri, Feb 25, 2011 at 12:11 PM, Vincent Hoffman vi...@unsane.co.uk wrote: Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Regards, Vince ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org -- Joshua Boyd JBipNet E-mail: boy...@jbip.net http://www.jbip.net ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: 8.2-RELEASE pf rules not loading
Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: ifconfig_ifacename=DHCP to ifconfig_ifacename=SYNCDHCP It's possible the network hasn't come up properly yet or there is no IP assigned. Failing that, you can set: rc_debug=YES in rc.conf then watch at boot time if there are any odd messages when it attempts to start pf. Josh ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: 8.2-RELEASE pf rules not loading
On 25/02/2011 17:35, Josh Carroll wrote: Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: ifconfig_ifacename=DHCP to ifconfig_ifacename=SYNCDHCP It's possible the network hasn't come up properly yet or there is no IP assigned. Failing that, you can set: rc_debug=YES in rc.conf then watch at boot time if there are any odd messages when it attempts to start pf. It turns out that its sort of related to this. I have an IPv6 tunnel from H.E. (tunnelbroker.net) and from looking at the boot output, it looks like the IPv6 addresses (for any of my imterfaces) aren't applied until after pf starts. I'd say this is a bug, Oddly this didnt happen for the release candidate I tried, although I think I may have modified my rules and not rebooted until I upgraded. the rules in question are: pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services keep state and pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services $sf_tcp (ext_if = ue0) I'll try changing $ext_if to the ipv6 address and see if that helps. Vince Josh ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: 8.2-RELEASE pf rules not loading
On Fri, Feb 25, 2011 at 10:23:58PM +, Vincent Hoffman wrote: On 25/02/2011 17:35, Josh Carroll wrote: Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: ifconfig_ifacename=DHCP to ifconfig_ifacename=SYNCDHCP It's possible the network hasn't come up properly yet or there is no IP assigned. Failing that, you can set: rc_debug=YES in rc.conf then watch at boot time if there are any odd messages when it attempts to start pf. It turns out that its sort of related to this. I have an IPv6 tunnel from H.E. (tunnelbroker.net) and from looking at the boot output, it looks like the IPv6 addresses (for any of my imterfaces) aren't applied until after pf starts. I'd say this is a bug, Oddly this didnt happen for the release candidate I tried, although I think I may have modified my rules and not rebooted until I upgraded. the rules in question are: pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services keep state and pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services $sf_tcp (ext_if = ue0) I'll try changing $ext_if to the ipv6 address and see if that helps. Please look at pf.conf(5) and search for the word parentheses (should be under the from x to x section. This might resolve your problem. -- | Jeremy Chadwick j...@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: 8.2-RELEASE pf rules not loading
On 25/02/2011 22:31, Jeremy Chadwick wrote: On Fri, Feb 25, 2011 at 10:23:58PM +, Vincent Hoffman wrote: On 25/02/2011 17:35, Josh Carroll wrote: Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: ifconfig_ifacename=DHCP to ifconfig_ifacename=SYNCDHCP It's possible the network hasn't come up properly yet or there is no IP assigned. Failing that, you can set: rc_debug=YES in rc.conf then watch at boot time if there are any odd messages when it attempts to start pf. It turns out that its sort of related to this. I have an IPv6 tunnel from H.E. (tunnelbroker.net) and from looking at the boot output, it looks like the IPv6 addresses (for any of my imterfaces) aren't applied until after pf starts. I'd say this is a bug, Oddly this didnt happen for the release candidate I tried, although I think I may have modified my rules and not rebooted until I upgraded. the rules in question are: pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services keep state and pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services $sf_tcp (ext_if = ue0) I'll try changing $ext_if to the ipv6 address and see if that helps. Please look at pf.conf(5) and search for the word parentheses (should be under the from x to x section. This might resolve your problem. That seems looks reasonable, if unexpected since its all statically configured. I'll give it a try when I can reboot it next. It does seems a little odd that the rcorder doesnt start network_ipv6 (REQUIRE: routing) until after pf (BEFORE: routing) , but I assume there was a reason for this. Vince ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: 8.2-RELEASE pf rules not loading
On Fri, 25 Feb 2011 17:31, freebsd@ wrote: On Fri, Feb 25, 2011 at 10:23:58PM +, Vincent Hoffman wrote: On 25/02/2011 17:35, Josh Carroll wrote: Hi All, Just upgraded my home machine to 8.2-RELEASE via freebsd-update remotely (spare time at work.) and on reboot my pf ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted does start it fine though. Any suggestions on debugging or shall i just try a verbose boot and watch the console when I get home? I still have pf_enable=YES # Set to YES to enable packet filter (pf) pflog_enable=YES # Set to YES to enable packet filter logging in /etc/rc.conf Is your interface dynamic (e.g. using DHCP)? If so, you might try changing: ifconfig_ifacename=DHCP to ifconfig_ifacename=SYNCDHCP It's possible the network hasn't come up properly yet or there is no IP assigned. Failing that, you can set: rc_debug=YES in rc.conf then watch at boot time if there are any odd messages when it attempts to start pf. It turns out that its sort of related to this. I have an IPv6 tunnel from H.E. (tunnelbroker.net) and from looking at the boot output, it looks like the IPv6 addresses (for any of my imterfaces) aren't applied until after pf starts. I'd say this is a bug, Oddly this didnt happen for the release candidate I tried, although I think I may have modified my rules and not rebooted until I upgraded. the rules in question are: pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services keep state and pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services $sf_tcp (ext_if = ue0) I'll try changing $ext_if to the ipv6 address and see if that helps. Please look at pf.conf(5) and search for the word parentheses (should be under the from x to x section. This might resolve your problem. Adding to this and as someone else has already advised in a different way is to use synchronous_dhclient=YES in rc.conf(5) will most likely result in your rules loading properly. -- jhell ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
