Hi all, I recently upgraded (via source) from 11-Stable to 12-Stable on my router box (PC Engines APU). My firewall rules don't appear to work any longer during boot. I can see on the console "Line 98: unknown interface name igb1" when it tries to load them. The last few rules after the error line are not loaded. Line 98 is the "nat 1 config" line. After boot, I run "ipfw flush;service ipfw restart" and everything works ok. It looks like the igb1 interface isn't fully available at the time when it originally tries to load. My relevant lines (redacted) from /etc/rc.conf, /etc/ipfw.rules, and tail of /var/log/messages are below. Any clues, please? Thanks in advance, ??? Graham firewall_enable="YES" firewall_flags="-p m4 -DOUTSIDE_IF=igb1 -DLAN_IF=igb0 -DLAN_NET=X.X.X.X/25 -DWIFI_IF=igb2 -DWIFI_NET=Y.Y.Y.Y/26 -DVPN_IF=tap0 -DVPN_NET=Z.Z.Z.Z/26 -DPS4_ADDR=A.A.A.A -DIPV6_IF=gif0" firewall_type="/etc/ipfw.rules" # stop spoofing add deny all from LAN_NET to any in via OUTSIDE_IF add deny all from WIFI_NET to any in via OUTSIDE_IF # allow anything on the LAN add allow all from any to any via LAN_IF # and from the VPN add allow all from any to any via VPN_IF # allow anything from the wireless network to the outside world (but not to the LAN) add allow ip from any to not LAN_NET via WIFI_IF table all destroy # create a table of addresses to block table 1 create type addr # add RFC1918 nets table 1 add 10.0.0.0/8 table 1 add 172.16.0.0/12 table 1 add 192.168.0.0/16 # and draft-manning-dsua-03.txt nets table 1 add 0.0.0.0/8 table 1 add 169.254.0.0/16 table 1 add 192.0.2.0/24 table 1 add 224.0.0.0/4 table 1 add 240.0.0.0/4 # stop entries in the table coming in on the outside interface add deny all from table(1) to any in recv OUTSIDE_IF # similarly for IPv6 table 2 create type addr # Stop unique local unicast address on the outside interface table 2 add fc00::/7 # Stop site-local on the outside interface table 2 add fec0::/10 # Disallow "internal" addresses to appear on the wire. table 2 add ::ffff:0.0.0.0/96 # Disallow packets to malicious IPv4 compatible prefix. #table 2 add ::224.0.0.0/100 gives error #table 2 add ::127.0.0.0/104 ditto table 2 add ::0.0.0.0/104 #table 2 add ::255.0.0.0/104 ditto # table 2 add ::0.0.0.0/96 # Disallow packets to malicious 6to4 prefix. table 2 add 2002:e000::/20 table 2 add 2002:7f00::/24 table 2 add 2002:0000::/24 table 2 add 2002:ff00::/24 # table 2 add 2002:0a00::/24 table 2 add 2002:ac10::/28 table 2 add 2002:c0a8::/32 # table 2 add ff05::/16 # block these addresses both incoming and outgoing add deny all from table(2) to any via IPV6_IF add deny all from any to table(2) via IPV6_IF # block sshguard entries add reset ip from table(22) to me ######################################################### # temporarily block lots of ports from outside (remove when these rules are fixed) #add deny tcp from any to me 2049,5000-5999 in via OUTSIDE_IF ########################################################## # allow IPSEC #add allow esp from any to any #add allow ah from any to any #add allow ipencap from any to any #add allow udp from any 500 to any # allow setup of incoming SSH, IMAPS, and OpenVPN add allow tcp from any to me ssh setup add allow tcp from any to me6 ssh setup add allow tcp from any to me imaps setup add allow tcp from any to me6 imaps setup add allow tcp from any to me openvpn setup add allow tcp from any to me6 openvpn setup add allow udp from any to me openvpn # allow IPP, IMAPS, and SMTP from wireless add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF add allow ip from any to me dst-port ipp setup via WIFI_IF add allow ip from any to me dst-port smtp setup via WIFI_IF add allow ip from any to me dst-port imaps setup via WIFI_IF # allow some ICMP types but nothing else add allow icmp from any to any icmptypes 0,3,8,11 add deny icmp from any to any #add allow ipv6 from any to any # NAT # redirect ports to PS4 nat 1 config if OUTSIDE_IF same_ports deny_in redirect_port tcp PS4_ADDR:1935 1935 redirect_port tcp PS4_ADDR:3478 3478 redirect_port tcp PS4_ADDR:3479 3479 redirect_port tcp PS4_ADDR:3480 3480 redirect_port udp PS4_ADDR:3074 3074 redirect_port udp PS4_ADDR:3478 3478 redirect_port udp PS4_ADDR:3479 3479 #nat 1 config if OUTSIDE_IF same_ports deny_in add nat 1 ip4 from any to any via OUTSIDE_IF # and block the above table again outbound add deny all from table(1) to any out xmit OUTSIDE_IF # allow TCP through if setup succeeded add pass tcp from any to any established # allow IP fragments to pass through add pass all from any to any frag # allow TCP ports needed for PS4 add allow tcp from any to PS4_ADDR 1935 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3478 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3479 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3480 in via OUTSIDE_IF setup add allow udp from any to PS4_ADDR 3478 in via OUTSIDE_IF add allow udp from any to PS4_ADDR 3479 in via OUTSIDE_IF # allow DNS & NTP queries out to the world (and their replies back in) add allow udp from me to any 53 keep-state add allow udp from me to any 123 keep-state # but no other UDP in from outside add deny udp from any to any in via OUTSIDE_IF # and allow any other UDP add allow udp from any to any # reject all setup of incoming connections from the outside add deny tcp from any to any in via OUTSIDE_IF setup # reject all setup of incoming connections from the IPV6 tunnel add deny tcp from any to any in via gif0 setup # reject all setup of incoming connections from the wireless add deny tcp from any to any in via WIFI_IF setup # allow setup of any other TCP connection add pass tcp from any to any setup # Everything else is denied by default, unless the IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel config file. But we add this rule anyway to allow logging. add deny all from any to any Mar 23 11:35:31 maxwell kernel: ---<<BOOT>>--- Mar 23 11:35:31 maxwell kernel: Copyright (c) 1992-2019 The FreeBSD Project. Mar 23 11:35:31 maxwell kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Mar 23 11:35:31 maxwell kernel:???????? The Regents of the University of California. All rights reserved. Mar 23 11:35:31 maxwell kernel: FreeBSD is a registered trademark of The FreeBSD Foundation. Mar 23 11:35:31 maxwell kernel: FreeBSD 12.0-STABLE maxwell amd64 Mar 23 11:35:31 maxwell kernel: FreeBSD clang version 7.0.1 (tags/RELEASE_701/final 349250) (based on LLVM 7.0.1) Mar 23 11:35:31 maxwell kernel: CPU: AMD GX-412TC SOC??????????????????????????????? (998.15-MHz K8-class CPU) Mar 23 11:35:31 maxwell kernel:?? Origin="AuthenticAMD" Id=0x730f01? Family=0x16? Model=0x30? Stepping=1 Mar 23 11:35:31 maxwell kernel: Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT> Mar 23 11:35:31 maxwell kernel: Features2=0x3ed8220b<SSE3,PCLMULQDQ,MON,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AESNI,XSAVE,OSXSAVE,AVX,F16C> Mar 23 11:35:31 maxwell kernel:?? AMD Features=0x2e500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM> Mar 23 11:35:31 maxwell kernel:?? AMD Features2=0x1d4037ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,OSVW,IBS,SKINIT,WDT,Topology,PNXC,DBE,PTSC,PL2I> Mar 23 11:35:31 maxwell kernel:?? Structured Extended Features=0x8<BMI1> Mar 23 11:35:31 maxwell kernel:?? XSAVE Features=0x1<XSAVEOPT> Mar 23 11:35:31 maxwell kernel:?? SVM: NP,NRIP,AFlush,DAssist,NAsids=8 Mar 23 11:35:31 maxwell kernel:?? TSC: P-state invariant, performance statistics Mar 23 11:35:31 maxwell kernel: real memory? = 4815060992 (4592 MB) Mar 23 11:35:31 maxwell kernel: avail memory = 4110790656 (3920 MB) Mar 23 11:35:31 maxwell kernel: Event timer "LAPIC" quality 600 Mar 23 11:35:31 maxwell kernel: ACPI APIC Table: <CORE COREBOOT> Mar 23 11:35:31 maxwell kernel: FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs Mar 23 11:35:31 maxwell kernel: FreeBSD/SMP: 1 package(s) x 4 core(s) Mar 23 11:35:31 maxwell kernel: random: unblocking device. Mar 23 11:35:31 maxwell kernel: ioapic1: Changing APIC ID to 5 Mar 23 11:35:31 maxwell kernel: ioapic0 <Version 2.1> irqs 0-23 on motherboard Mar 23 11:35:31 maxwell kernel: ioapic1 <Version 2.1> irqs 24-55 on motherboard Mar 23 11:35:31 maxwell kernel: Launching APs: 2 1 3 Mar 23 11:35:31 maxwell kernel: Timecounter "TSC" frequency 998148269 Hz quality 1000 Mar 23 11:35:31 maxwell kernel: random: entropy device external interface Mar 23 11:35:31 maxwell kernel: 000.000022 [4212] netmap_init?????????????? netmap: loaded module Mar 23 11:35:31 maxwell kernel: nexus0 Mar 23 11:35:31 maxwell kernel: cryptosoft0: <software crypto> on motherboard Mar 23 11:35:31 maxwell kernel: acpi0: <CORE COREBOOT> on motherboard Mar 23 11:35:31 maxwell kernel: acpi0: Power Button (fixed) Mar 23 11:35:31 maxwell kernel: cpu0: <ACPI CPU> on acpi0 Mar 23 11:35:31 maxwell kernel: atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0 Mar 23 11:35:31 maxwell kernel: atrtc0: registered as a time-of-day clock, resolution 1.000000s Mar 23 11:35:31 maxwell kernel: Event timer "RTC" frequency 32768 Hz quality 0 Mar 23 11:35:31 maxwell kernel: attimer0: <AT timer> port 0x40-0x43 irq 0 on acpi0 Mar 23 11:35:31 maxwell kernel: Timecounter "i8254" frequency 1193182 Hz quality 0 Mar 23 11:35:31 maxwell kernel: Event timer "i8254" frequency 1193182 Hz quality 100 Mar 23 11:35:31 maxwell kernel: hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff on acpi0 Mar 23 11:35:31 maxwell kernel: Timecounter "HPET" frequency 14318180 Hz quality 950 Mar 23 11:35:31 maxwell kernel: Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 Mar 23 11:35:31 maxwell kernel: acpi_timer0: <32-bit timer at 3.579545MHz> port 0x818-0x81b on acpi0 Mar 23 11:35:31 maxwell kernel: acpi_button0: <Power Button> on acpi0 Mar 23 11:35:31 maxwell kernel: pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 Mar 23 11:35:31 maxwell kernel: pci0: <ACPI PCI bus> on pcib0 Mar 23 11:35:31 maxwell kernel: pcib1: <ACPI PCI-PCI bridge> at device 2.2 on pci0 Mar 23 11:35:31 maxwell kernel: pcib1: failed to allocate initial I/O port window: 0x1000-0x1fff Mar 23 11:35:31 maxwell kernel: pci1: <ACPI PCI bus> on pcib1 Mar 23 11:35:31 maxwell kernel: pci1: <network, ethernet> at device 0.0 (no driver attached) Mar 23 11:35:31 maxwell kernel: pcib2: <ACPI PCI-PCI bridge> at device 2.3 on pci0 Mar 23 11:35:31 maxwell kernel: pci2: <ACPI PCI bus> on pcib2 Mar 23 11:35:31 maxwell kernel: pci2: <network, ethernet> at device 0.0 (no driver attached) Mar 23 11:35:31 maxwell kernel: pcib3: <ACPI PCI-PCI bridge> at device 2.4 on pci0 Mar 23 11:35:31 maxwell kernel: pci3: <ACPI PCI bus> on pcib3 Mar 23 11:35:31 maxwell kernel: pci3: <network, ethernet> at device 0.0 (no driver attached) Mar 23 11:35:31 maxwell kernel: pci0: <encrypt/decrypt> at device 8.0 (no driver attached) Mar 23 11:35:31 maxwell kernel: xhci0: <AMD FCH USB 3.0 controller> mem 0xfeb22000-0xfeb23fff at device 16.0 on pci0 Mar 23 11:35:31 maxwell kernel: xhci0: 32 bytes context size, 64-bit DMA Mar 23 11:35:31 maxwell kernel: xhci0: Unable to map MSI-X table Mar 23 11:35:31 maxwell kernel: usbus0 on xhci0 Mar 23 11:35:31 maxwell kernel: usbus0: 5.0Gbps Super Speed USB v3.0 Mar 23 11:35:31 maxwell kernel: ahci0: <AMD Hudson-2 AHCI SATA controller> port 0x4010-0x4017,0x4020-0x4023,0x4018-0x401f,0x4024-0x4027,0x4000-0x400f mem 0xfeb25000-0xfeb253ff at device 17.0 on pci0 Mar 23 11:35:31 maxwell kernel: ahci0: AHCI v1.30 with 2 6Gbps ports, Port Multiplier supported with FBS Mar 23 11:35:31 maxwell kernel: ahcich0: <AHCI channel> at channel 0 on ahci0 Mar 23 11:35:31 maxwell kernel: ahcich1: <AHCI channel> at channel 1 on ahci0 Mar 23 11:35:31 maxwell kernel: ehci0: <AMD FCH USB 2.0 controller> mem 0xfeb25400-0xfeb254ff at device 19.0 on pci0 Mar 23 11:35:31 maxwell kernel: usbus1: EHCI version 1.0 Mar 23 11:35:31 maxwell kernel: usbus1 on ehci0 Mar 23 11:35:31 maxwell kernel: usbus1: 480Mbps High Speed USB v2.0 Mar 23 11:35:31 maxwell kernel: isab0: <PCI-ISA bridge> at device 20.3 on pci0 Mar 23 11:35:31 maxwell kernel: isa0: <ISA bus> on isab0 Mar 23 11:35:31 maxwell kernel: pci0: <base peripheral, SD host controller> at device 20.7 (no driver attached) Mar 23 11:35:31 maxwell kernel: uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 Mar 23 11:35:31 maxwell kernel: uart0: console (115200,n,8,1) Mar 23 11:35:31 maxwell kernel: orm0: <ISA Option ROMs> at iomem 0xc0000-0xc0fff,0xef000-0xeffff pnpid ORM0000 on isa0 Mar 23 11:35:31 maxwell kernel: uart1: <16550 or compatible> at port 0x2f8 irq 3 on isa0 Mar 23 11:35:31 maxwell kernel: hwpstate0: <Cool`n'Quiet 2.0> on cpu0 Mar 23 11:35:31 maxwell kernel: Timecounters tick every 1.000 msec Mar 23 11:35:31 maxwell kernel: ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to deny, logging disabled Mar 23 11:35:31 maxwell kernel: ugen0.1: <0x1022 XHCI root HUB> at usbus0 Mar 23 11:35:31 maxwell kernel: ugen1.1: <AMD EHCI root HUB> at usbus1 Mar 23 11:35:31 maxwell kernel: uhub0: <0x1022 XHCI root HUB, class 9/0, rev 3.00/1.00, addr 1> on usbus0 Mar 23 11:35:31 maxwell kernel: uhub1: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1 Mar 23 11:35:31 maxwell kernel: uhub0: 4 ports with 4 removable, self powered Mar 23 11:35:31 maxwell kernel: uhub1: 2 ports with 2 removable, self powered Mar 23 11:35:31 maxwell kernel: ugen0.2: <American Power Conversion Back-UPS CS 350 FW:807.q5.I USB FW:q5> at usbus0 Mar 23 11:35:31 maxwell kernel: ugen1.2: <vendor 0x0438 product 0x7900> at usbus1 Mar 23 11:35:31 maxwell kernel: uhub2 on uhub1 Mar 23 11:35:31 maxwell kernel: uhub2: <vendor 0x0438 product 0x7900, class 9/0, rev 2.00/0.18, addr 2> on usbus1 Mar 23 11:35:31 maxwell kernel: uhub2: 4 ports with 4 removable, self powered Mar 23 11:35:31 maxwell kernel: ada0 at ahcich0 bus 0 scbus0 target 0 lun 0 Mar 23 11:35:31 maxwell kernel: ada0: <SATA SSD S9FM02.9> ACS-3 ATA SATA 3.x device Mar 23 11:35:31 maxwell kernel: ada0: Serial Number 6834076A125700012038 Mar 23 11:35:31 maxwell kernel: ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes) Mar 23 11:35:31 maxwell kernel: ada0: Command Queueing enabled Mar 23 11:35:31 maxwell kernel: ada0: 15272MB (31277232 512 byte sectors) Mar 23 11:35:31 maxwell kernel: ada1 at ahcich1 bus 0 scbus1 target 0 lun 0 Mar 23 11:35:31 maxwell kernel: ada1: <ST2000LX001-1RG174 SDM1> ACS-3 ATA SATA 3.x device Mar 23 11:35:31 maxwell kernel: ada1: Serial Number WDZ4G592 Mar 23 11:35:31 maxwell kernel: ada1: 300.000MB/s transfers (SATA 2.x, UDMA6, PIO 8192bytes) Mar 23 11:35:31 maxwell kernel: ada1: Command Queueing enabled Mar 23 11:35:31 maxwell kernel: ada1: 1907729MB (3907029168 512 byte sectors) Mar 23 11:35:31 maxwell kernel: Trying to mount root from ufs:/dev/ada0p2 [rw]... Mar 23 11:35:31 maxwell kernel: WARNING: /usr/data was not properly dismounted Mar 23 11:35:31 maxwell kernel: lo0: link state changed to UP Mar 23 11:35:31 maxwell kernel: intsmb0: <AMD FCH SMBus Controller> at device 20.0 on pci0 Mar 23 11:35:31 maxwell kernel: smbus0: <System Management Bus> on intsmb0 Mar 23 11:35:32 maxwell mountd[618]: can't change attributes for /var: netcred already exists for given addr/mask Mar 23 11:35:32 maxwell mountd[618]: bad exports list line '/var -alldirs -maproot' Mar 23 11:35:32 maxwell mountd[618]: can't change attributes for /mnt: netcred already exists for given addr/mask Mar 23 11:35:32 maxwell mountd[618]: bad exports list line '/mnt -alldirs -maproot' Mar 23 11:35:32 maxwell kernel: igb0: <Intel(R) PRO/1000 PCI-Express Network Driver> mem 0xfe600000-0xfe61ffff,0xfe620000-0xfe623fff at device 0.0 on pci1 Mar 23 11:35:32 maxwell kernel: igb0: Using 1024 tx descriptors and 1024 rx descriptors Mar 23 11:35:32 maxwell kernel: igb0: Using 4 rx queues 4 tx queues Mar 23 11:35:32 maxwell kernel: igb0: Using MSI-X interrupts with 5 vectors Mar 23 11:35:32 maxwell kernel: igb0: Ethernet address: 00:0d:b9:42:ea:38 Mar 23 11:35:32 maxwell kernel: igb0: netmap queues/slots: TX 4/1024, RX 4/1024 Mar 23 11:35:32 maxwell kernel: igb1: <Intel(R) PRO/1000 PCI-Express Network Driver> port 0x2000-0x201f mem 0xfe700000-0xfe71ffff,0xfe720000-0xfe723fff at device 0.0 on pci2 Mar 23 11:35:32 maxwell kernel: igb1: Using 1024 tx descriptors and 1024 rx descriptors Mar 23 11:35:32 maxwell kernel: igb1: Using 4 rx queues 4 tx queues Mar 23 11:35:32 maxwell kernel: igb1: Using MSI-X interrupts with 5 vectors Mar 23 11:35:32 maxwell kernel: igb1: Ethernet address: 00:0d:b9:42:ea:39 Mar 23 11:35:33 maxwell kernel: igb1: netmap queues/slots: TX 4/1024, RX 4/1024 Mar 23 11:35:33 maxwell kernel: igb2: <Intel(R) PRO/1000 PCI-Express Network Driver> port 0x3000-0x301f mem 0xfe800000-0xfe81ffff,0xfe820000-0xfe823fff at device 0.0 on pci3 Mar 23 11:35:33 maxwell kernel: igb2: Using 1024 tx descriptors and 1024 rx descriptors Mar 23 11:35:33 maxwell kernel: igb2: Using 4 rx queues 4 tx queues Mar 23 11:35:33 maxwell kernel: igb2: Using MSI-X interrupts with 5 vectors Mar 23 11:35:33 maxwell kernel: igb2: Ethernet address: 00:0d:b9:42:ea:3a Mar 23 11:35:33 maxwell ntpd[759]: ntpd 4.2.8p12-a (1): Starting Mar 23 11:35:33 maxwell kernel: igb2: netmap queues/slots: TX 4/1024, RX 4/1024 Mar 23 11:35:33 maxwell kernel: Security policy loaded: MAC/ntpd (mac_ntpd) Mar 23 11:35:34 maxwell upsmon[789]: Login on UPS [maxwell at localhost] failed - got [ERR ACCESS-DENIED] Mar 23 11:35:37 maxwell kernel: igb0: link state changed to UP Mar 23 11:35:48 maxwell kernel: igb1: link state changed to UP Mar 23 11:35:48 maxwell kernel: igb1: link state changed to DOWN Mar 23 11:35:49 maxwell root[1698]: /etc/rc: WARNING: failed to start spamd Mar 23 11:35:49 maxwell kernel: tun0: link state changed to UP Mar 23 11:35:50 maxwell kernel: igb2: link state changed to UP Mar 23 11:35:50 maxwell kernel: igb2: link state changed to DOWN Mar 23 11:35:51 maxwell kernel: igb1: link state changed to UP Mar 23 11:35:51 maxwell dhclient[2608]: New IP Address (igb1): X.X.X.X Mar 23 11:35:51 maxwell dhclient[2610]: New Subnet Mask (igb1): 255.255.255.0 Mar 23 11:35:51 maxwell dhclient[2612]: New Broadcast Address (igb1): X.X.X.255 Mar 23 11:35:51 maxwell dhclient[2614]: New Routers (igb1): X.X.X.1 Mar 23 11:35:53 maxwell kernel: igb2: link state changed to UP