Hello to all, I noticed such a problem: I have a 6.1 RC2 and i have in rc.conf pf_enable="YES" pflogd_enable="YES" but when the system boots i test with: pfctl -vs rules and there are not rules loaded.if i load them by hand there is no problem.. then i made: rc_debug="YES" and the first thing that i saw was: when pf_enable is after pflogd_enable ; it is not printed(checked).. then i changed the place of pf and pflogd in the rc.conf and i saw some output in the /var/log/messages.. but still the ruleset wasn`t loaded.. i put pf_load="YES" >> /boot/loader.conf and still the ruleset is NOT loaded on boot... Do you have something like this?
On Sunday 07 May 2006 01:59, Iantcho Vassilev wrote:> I noticed such a problem: > > I have a 6.1 RC2 and i have in rc.conf > > pf_enable="YES" > pflogd_enable="YES" > > but when the system boots i test with: > > pfctl -vs rules > > and there are not rules loaded.if i load them by hand there is no problem.. > then i made: > > rc_debug="YES" > > and the first thing that i saw was: when pf_enable is after pflogd_enable ; > it is not printed(checked).. > > then i changed the place of pf and pflogd in the rc.conf and i saw some > output in the /var/log/messages.. > but still the ruleset wasn`t loaded.. > > i put pf_load="YES" >> /boot/loader.conf > and still the ruleset is NOT loaded on boot...What is your pf.conf like? Do you have ALTQ in use? Do you maybe try to use ALTQ on an interface that is created later on (tun0 or the like)? What does "/etc/rc.d/{pf, pflog} rcvar" give you? Does "/etc/rc.d/pf start" work after it failed on boot? Try setting pf_flags="-v" to get additional error messages. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060507/7f6eb336/attachment.pgp
/etc/rc.d/pf rcvar - returns YES my pf doesn`t have any ALTQ use I will try pf_flags -v Any other suggestions... On 5/7/06, Max Laier <max@love2party.net> wrote:> > On Sunday 07 May 2006 01:59, Iantcho Vassilev wrote: > > I noticed such a problem: > > > > I have a 6.1 RC2 and i have in rc.conf > > > > pf_enable="YES" > > pflogd_enable="YES" > > > > but when the system boots i test with: > > > > pfctl -vs rules > > > > and there are not rules loaded.if i load them by hand there is no > problem.. > > then i made: > > > > rc_debug="YES" > > > > and the first thing that i saw was: when pf_enable is after > pflogd_enable ; > > it is not printed(checked).. > > > > then i changed the place of pf and pflogd in the rc.conf and i saw some > > output in the /var/log/messages.. > > but still the ruleset wasn`t loaded.. > > > > i put pf_load="YES" >> /boot/loader.conf > > and still the ruleset is NOT loaded on boot... > > What is your pf.conf like? Do you have ALTQ in use? Do you maybe try to > use > ALTQ on an interface that is created later on (tun0 or the like)? What > does > "/etc/rc.d/{pf, pflog} rcvar" give you? Does "/etc/rc.d/pf start" work > after > it failed on boot? Try setting pf_flags="-v" to get additional error > messages. > > -- > /"\ Best regards, | mlaier@freebsd.org > \ / Max Laier | ICQ #67774661 > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > >
Also (if i didn`t mentioned it)..with rc_debug set i can`t see the pf being checked at all... in /var/log/messages i have.. May 7 12:00:30 tms_slave root: /etc/rc: INFO: checkyesno: inetd_enable is set to NO. May 7 12:00:30 tms_slave root: /etc/rc: INFO: checkyesno: hostapd_enable is set to NO. May 7 12:00:30 tms_slave root: /etc/rc: INFO: run_rc_command: evaluating geli2_start(). May 7 12:00:30 tms_slave root: /etc/rc: INFO: checkyesno: ftpd_enable is set to NO. May 7 12:00:30 tms_slave root: /etc/rc: INFO: checkyesno: bsnmpd_enable is set to NO. May 7 12:00:30 tms_slave root: /etc/rc: INFO: checkyesno: background_fsck is set to YES but nothing about PF. Any suggestions? On 5/7/06, Iantcho Vassilev <ianchov@gmail.com> wrote:> > /etc/rc.d/pf rcvar - returns YES > my pf doesn`t have any ALTQ use > I will try pf_flags -v > > > Any other suggestions... > > > On 5/7/06, Max Laier < max@love2party.net> wrote: > > > > On Sunday 07 May 2006 01:59, Iantcho Vassilev wrote: > > > I noticed such a problem: > > > > > > I have a 6.1 RC2 and i have in rc.conf > > > > > > pf_enable="YES" > > > pflogd_enable="YES" > > > > > > but when the system boots i test with: > > > > > > pfctl -vs rules > > > > > > and there are not rules loaded.if i load them by hand there is no > > problem.. > > > then i made: > > > > > > rc_debug="YES" > > > > > > and the first thing that i saw was: when pf_enable is after > > pflogd_enable ; > > > it is not printed(checked).. > > > > > > then i changed the place of pf and pflogd in the rc.conf and i saw > > some > > > output in the /var/log/messages.. > > > but still the ruleset wasn`t loaded.. > > > > > > i put pf_load="YES" >> /boot/loader.conf > > > and still the ruleset is NOT loaded on boot... > > > > What is your pf.conf like? Do you have ALTQ in use? Do you maybe try > > to use > > ALTQ on an interface that is created later on (tun0 or the like)? What > > does > > "/etc/rc.d/{pf, pflog} rcvar" give you? Does "/etc/rc.d/pf start" work > > after > > it failed on boot? Try setting pf_flags="-v" to get additional error > > messages. > > > > -- > > /"\ Best regards, | mlaier@freebsd.org > > \ / Max Laier | ICQ #67774661 > > X http://pf4freebsd.love2party.net/ | mlaier@EFnet > > / \ ASCII Ribbon Campaign | Against HTML Mail and News > > > > > > >
On 5/7/06, Pertti Kosunen <pertti.kosunen@pp.nic.fi> wrote:> > Iantcho Vassilev wrote: > > Hello to all, > > > > > > I noticed such a problem: > > > > I have a 6.1 RC2 and i have in rc.conf > > > > pf_enable="YES" > > pflogd_enable="YES" > > pf_rules="/etc/pf.conf" # rules definition file for pf > > I have also that line in /etc/rc.conf .I have added this long time ago... still the result is the same..
On Sun, May 07, 2006 at 03:49:08PM +0300, Iantcho Vassilev wrote:> On 5/7/06, Pertti Kosunen <pertti.kosunen@pp.nic.fi> wrote: > > > >Iantcho Vassilev wrote: > >> Hello to all, > >> > >> > >> I noticed such a problem: > >> > >> I have a 6.1 RC2 and i have in rc.conf > >> > >> pf_enable="YES" > >> pflogd_enable="YES"This last line should be: pflog_enable="YES" HTH, Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060507/74811bd5/attachment.pgp
My mistake.. Is is actually pflog_enable="YES".... also i checked the /etc/rc.d/pf file permission => 755... I just don`t know On 5/7/06, Roland Smith <rsmith@xs4all.nl> wrote:> > On Sun, May 07, 2006 at 03:49:08PM +0300, Iantcho Vassilev wrote: > > On 5/7/06, Pertti Kosunen <pertti.kosunen@pp.nic.fi> wrote: > > > > > >Iantcho Vassilev wrote: > > >> Hello to all, > > >> > > >> > > >> I noticed such a problem: > > >> > > >> I have a 6.1 RC2 and i have in rc.conf > > >> > > >> pf_enable="YES" > > >> pflogd_enable="YES" > > This last line should be: > > pflog_enable="YES" > > HTH, Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) > > >
Iantcho Vassilev wrote:> Hello to all, > > > I noticed such a problem: > > I have a 6.1 RC2Step one should be to upgrade to the latest 6-stable, and run mergemaster.> and i have in rc.conf > > pf_enable="YES" > pflogd_enable="YES"I think you already corrected yourself to say that you have pflog_enable, not pflogd_, correct?> but when the system boots i test with: > > pfctl -vs rules > > and there are not rules loaded.if i load them by hand there is no problem..When you say "load them by hand," what do you do exactly?> then i made: > > rc_debug="YES"Try adding rc_info=yes as well.> and the first thing that i saw was: when pf_enable is after pflogd_enable ; > it is not printed(checked)..The order of the variables in your rc.conf file is not relevant.> i put pf_load="YES" >> /boot/loader.conf > and still the ruleset is NOT loaded on boot...The rc system doesn't know anything about /boot/loader.conf. I'm also interested in what happens if you add -v to the pf_flags. What are the permissions on /etc/pf.conf? Doug -- This .signature sanitized for your protection
On 5/8/06, Michel Talon <talon@lpthe.jussieu.fr> wrote:> > By the way, if you have a kernel *without* IPV6 support, the firewall > module > will *not* load. You will have to recompile the firewall module without > IPV6 support first. This is the most common cause of the problem you are > seeing. > > > -- > > Michel TALONThank you,Michel..,but it will not load on boot or? If this is true maybe this is the problem - i have disabled IPV6 in the kernel...
On Mon, 8 May 2006, Dmitry Morozovsky wrote:
DM> On Mon, 8 May 2006, Dmitry Morozovsky wrote:
DM>
DM> DM> BTW, ipfw says
DM> DM>
DM> DM> ipfw2 (+ipv6)
DM> DM>
DM> DM> even when it is build without inet6, which is a bit misleading.
DM>
DM> The following simple patch fixes this.
Oh no, INET6 should be used instead of NO_INET6. Reattached.
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------
-------------- next part --------------
Index: sys/netinet/ip_fw2.c
==================================================================RCS file:
/home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.106.2.12
diff -u -r1.106.2.12 ip_fw2.c
--- sys/netinet/ip_fw2.c 9 Mar 2006 13:42:44 -0000 1.106.2.12
+++ sys/netinet/ip_fw2.c 8 May 2006 10:37:59 -0000
@@ -4221,7 +4221,12 @@
}
ip_fw_default_rule = layer3_chain.rules;
- printf("ipfw2 (+ipv6) initialized, divert %s, "
+ printf(
+#ifdef INET6
+ "ipfw2 (+ipv6) initialized, divert %s, "
+#else
+ "ipfw2 initialized, divert %s, "
+#endif
"rule-based forwarding "
#ifdef IPFIREWALL_FORWARD
"enabled, "