Re: 8.2-RELEASE pf rules not loading
- From: Vincent Hoffman <vince@xxxxxxxxxxxx>
- Date: Fri, 25 Feb 2011 22:45:02 +0000
On 25/02/2011 22:31, Jeremy Chadwick wrote:
On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote:That seems looks reasonable, if unexpected since its all statically configured. I'll give it a try when I can reboot it next.
On 25/02/2011 17:35, Josh Carroll wrote:Please look at pf.conf(5) and search for the word "parentheses" (should
It turns out that its sort of related to this. I have an IPv6 tunnelHi All,Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
Just upgraded my home machine to 8.2-RELEASE via
freebsd-update remotely (spare time at work.) and on reboot my pf
ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
does start it fine though. Any suggestions on debugging or shall i just
try a verbose boot and watch the console when I get home?
I still have
pf_enable="YES" # Set to YES to enable packet filter (pf)
pflog_enable="YES" # Set to YES to enable packet filter
logging
in /etc/rc.conf
ifconfig_<ifacename>="DHCP"
to
ifconfig_<ifacename>="SYNCDHCP"
It's possible the network hasn't come up properly yet or there is no
IP assigned.
Failing that, you can set:
rc_debug="YES"
in rc.conf then watch at boot time if there are any odd messages when
it attempts to start pf.
from H.E. (tunnelbroker.net) and from looking at the boot output, it
looks like the IPv6 addresses (for any of my imterfaces) aren't applied
until after pf starts. I'd say this is a bug, Oddly this didnt happen
for the release candidate I tried, although I think I may have modified
my rules and not rebooted until I upgraded.
the rules in question are:
pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
keep state
and
pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
$sf_tcp
(ext_if = "ue0")
I'll try changing $ext_if to the ipv6 address and see if that helps.
be under the "from x to x" section. This might resolve your problem.
It does seems a little odd that the rcorder doesnt start network_ipv6 (REQUIRE: routing) until after pf (BEFORE: routing) , but I assume there was a reason for this.
Vince
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"
- References:
- 8.2-RELEASE pf rules not loading
- From: Vincent Hoffman
- Re: 8.2-RELEASE pf rules not loading
- From: Josh Carroll
- Re: 8.2-RELEASE pf rules not loading
- From: Vincent Hoffman
- Re: 8.2-RELEASE pf rules not loading
- From: Jeremy Chadwick
- 8.2-RELEASE pf rules not loading
- Prev by Date: Re: 8.2-RELEASE pf rules not loading
- Next by Date: Re: How to bind a static ether address to bridge?
- Previous by thread: Re: 8.2-RELEASE pf rules not loading
- Next by thread: Re: 8.2-RELEASE pf rules not loading
- Index(es):
Relevant Pages
|
