View Full Version : [Solved] PF doesn't load rules on boot anymore
hiatek
February 22nd, 2010, 05:00
PF will not load the rules I have set in /etc/pf.conf after boot/reboot.
If I run
pfctl -d
pfctl -e -f /etc/pf.conf
my rules load correctly.
If I attempt to pfctl -e -f /etc/pf.conf without first pfctl -d I'm informed that pf is already running.
My /etc/rc.conf is as follows
freebsd# cat /etc/rc.conf
# -- sysinstall generated deltas -- # Fri Oct 30 07:49:53 2009
# Created: Fri Oct 30 07:49:53 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="internal.local"
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
keymap="us.iso"
# - Enable SSH
sshd_enable="YES"
# - PPPoE Connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="internode"
# - Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="nfe0"
# - Enable DNS Server
named_enable="YES"
# - PF Firewall
pf_enable="YES" # Enable PF Firewall
pf_rules="/etc/pf.conf" # Rules definition file for PF
pf_flags="" # Additional flags for pfctl startup
pflog_enable="YES" # Start pflogd(8)
#pflog_file="/var/log/pflog" # Where pflogd should store the log file
pflog_logfile="/var/log/pflog"
pflog_flags="" # Additional pflog flags for startup
# - Squid Web-Cache
squid_enable="YES"
# - Disable Sendmail
sendmail_enable="NO"
#sendmail_submit_enable="NO"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"
# - Postfix MTA
postfix_enable="YES"
# - Dovecot
dovecot_enable="YES"
freebsd#
Regarding the pflog_logfile line, I looked at the handbook (after noticing this issue) and it appears like the second uncommented line, whereas I had been running with the first (commented) line for quite some time without (a noticable) issue. Either way I have the same issue regardless of which option I use. Did this get changed at some point or did I have it wrong all along?
I can also post my /etc/pf.conf if need be although it "should" be using the same file when used manually or via rc.conf.
I have tried pfctl -nf /etc/pf.conf which runs silently (does not show any errors).
Output of uname -a is as follows:
freebsd# uname -a
FreeBSD freebsd.internal.local 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan 5 16:02:27 UTC 2010 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
Are there any log files I should check or commands I can run to narrow this down?
SirDice
February 22nd, 2010, 07:49
Remove everything except the pf_enable and pflog_enable.
hiatek
February 22nd, 2010, 07:56
Just to clarify, when you say everything, you mean everything regarding pf in rc.conf?
Or do you mean everything in the rc.conf file pf related or no?
Regards,
Michael
SirDice
February 22nd, 2010, 08:06
Just to clarify, when you say everything, you mean everything regarding pf in rc.conf?
Yes.
hiatek
February 22nd, 2010, 08:12
/etc/rc.conf now looks like the following:
freebsd# cat /etc/rc.conf
# -- sysinstall generated deltas -- # Fri Oct 30 07:49:53 2009
# Created: Fri Oct 30 07:49:53 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="freebsd.internal.local"
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
keymap="us.iso"
# - Enable SSH
sshd_enable="YES"
# - PPPoE Connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="internode"
# - Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="nfe0"
# - Enable DNS Server
named_enable="YES"
# - PF Firewall
pf_enable="YES" # Enable PF Firewall
#pf_rules="/etc/pf.conf" # Rules definition file for PF
#pf_flags="" # Additional flags for pfctl startup
pflog_enable="YES" # Start pflogd(8)
#pflog_file="/var/log/pflog" # Where pflogd should store the log file
#pflog_logfile="/var/log/pflog"
#pflog_flags="" # Additional pflog flags for startup
# - Squid Web-Cache
squid_enable="YES"
# - Disable Sendmail
sendmail_enable="NO"
#sendmail_submit_enable="NO"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"
# - Postfix MTA
postfix_enable="YES"
# - Dovecot
dovecot_enable="YES"
I still have the same issue, thanks for the help so far.
Regards,
Michael
SirDice
February 22nd, 2010, 08:27
Ok. What happens when you do /etc/rc.d/pf start?
hiatek
February 22nd, 2010, 08:38
After I have manually disabled and enabled using the command mentioned earlier:
freebsd# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
.
freebsd#
If I reboot and run # /etc/rc.d/pf start
I receive the same output
It does have the end result of loading the rules (when I test using grc.com shields up, the expected ports are stealthed and defined ports are unblocked).
I guess its a matter of doing this at boot, which has got me miffed why its failing now.
sniper007
February 22nd, 2010, 08:58
Probably is problem PPPoE connection, because pf rules is load before PPPoE establish connection.
Try to add this line to /etc/rc.local
pfctl -f /etc/pf.conf
hiatek
February 22nd, 2010, 09:35
So I comment out everything to do with pf in /etc/rc.conf and create /etc/rc.local?
It doesn't exist at the moment.
Does this shut things down correctly when using the shutdown command?
I might be totally off track but is that what the rc.conf does?
Thanks again.
EDIT: I have tried commenting out pf related settings in /etc/rc.conf.
Created the /etc/rc.local
I then added the following line
pfctl -ef /etc/pf.conf
Just having
pfctl -f /etc/pf.conf
doesn't appear to work on the command line either so I added the -e also.
Sorry this doesn't seem to resolve my issue.
Regards,
Michael
sniper007
February 22nd, 2010, 09:57
rc.conf
pf_enable="YES"
pflog_enable="YES"
rc.local
pfctl -f /etc/pf.conf
hiatek
February 22nd, 2010, 10:28
It appears to be the same result as my previous posts edit. The rules dont appear to be loading.
It does appear to be starting as before though. If I attempt to manually start it, I'm told about No ALTQ support in kernel and pfctl: pf already enabled.
If I then manually disable and enable telling it my pf.conf location all is rosy (well except it auto loading the rules for me).
SirDice
February 22nd, 2010, 11:55
After I have manually disabled and enabled using the command mentioned earlier:
freebsd# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
.
freebsd#
If I reboot and run # /etc/rc.d/pf start
I receive the same output
There's no error showing. There's only a message that there's no ALTQ support. This is normal if you use the pf module.
DutchDaemon
February 22nd, 2010, 13:20
If you're filtering on the ppp interface, do you have parentheses around that interface variable throughout your ruleset (pass in on ($ppp_if), etc.)?
PJF
February 22nd, 2010, 21:08
Does your pf rule set have any domain names in it?
I just had a similar issue where it would not load rules at boot time.
Turns out PF was trying to do DNS lookups on some domains I had in the rule set, but the network was not fully up yet.
I switched the domains to the IP's and now it loads fine at boot.
Ruler2112
February 22nd, 2010, 21:26
I have a ppp connection and in /etc/ppp/ppp.linkup is:
papchap:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.rules
shell /etc/rc.d/named restart
Perhaps your firewall is loading the rules fine, but when the link comes up, it doesn't refresh them to reflect the new status of the virtual interface?
hiatek
February 22nd, 2010, 22:08
My /etc/pf.conf
freebsd# cat /etc/pf.conf
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
# Revised by ... on 16/02/2010
# macros
ext_if="tun0"
int_if="nfe0"
win_host="192.168.0.5"
tcp_services="{ 22 }"
icmp_types="echoreq"
# tables
# ssh violations
table <ssh-violations> persist file "/etc/ssh-violations.txt"
#comp3="192.168.0.3"
# options
set block-policy drop
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# - Redirections
# - FTP proxy to local machine removed because ftp downloads would not work
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# - Squid Redirection
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# Bittorent virtual server/Port Forward
rdr on $ext_if proto tcp from any to ($ext_if) port 6881 -> 192.168.0.100 port 6881
# - Windows Server pptp VPN redirect
rdr pass on $ext_if inet proto gre from any to $ext_if -> $win_host
rdr pass on $ext_if inet proto tcp from any to $ext_if port 1723 -> $win_host
# filter rules
block in all
pass out
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# Mail Filter
pass in on $ext_if proto tcp from any to any port 25 flags S/SA
# Bittorent Filter
pass in quick on $ext_if proto tcp from any to 192.168.0.100 port 6881
# Squid Filters
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
#pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
# synproxy state
# Windows pptp VPN Server Filter
pass out quick on $int_if inet proto gre from any to $win_host keep state
pass out quick on $int_if inet proto tcp from any to $win_host port 1723 flags S/SA keep state
# Allow ping
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state
#Block hosts discovered as SSH violations
block drop in quick from <ssh-violations> to any
freebsd#
aragon
February 23rd, 2010, 01:18
PF is probably starting before ppp, so tun0 doesn't exist yet. You need to follow Ruler2112's advice I suspect...
hiatek
February 23rd, 2010, 01:33
I dont appear to have a /etc/ppp/ppp.linkup
I do have a /etc/ppp/ppp.conf
Can I make said changes to this file?
Regards,
Michael
aragon
February 23rd, 2010, 01:40
No, you need to create a /etc/ppp/ppp.linkup. You probably want a /etc/ppp/ppp.linkdown too, that does the opposite of linkup.
hiatek
February 23rd, 2010, 02:00
So I create the file and then put the contents in the file and thats it?
Do I need to reference it from anywhere else, like /etc/rc.conf?
EDIT:
I have attempted to create the file /etc/ppp/ppp.linkup, put the contents in
papchap:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
shell /etc/rc.d/named restart
I also tried changing papchap: to internode:.
I'm not sure if this has any relevance, neither works for me though. Rules still fail to load on reboot.
Ruler2112
February 23rd, 2010, 18:56
The first line in ppp.linkup should reflect the configuration name in ppp.conf. For example, my ppp.conf has in it:
papchap:
set authname blahblahblah
set authkey yakyakyak
.....
Here's an easy way to tell if it's working or not. When you bounce your ppp connection, does named restart? If not, there's something not working right in your ppp config. (It's a PITA to get right the first time... whoever came up with PPPoE and virtual interfaces obviously never had to use them IRL! Gimme a straight ethernet connection coming out of the modem device any day...)
hiatek
February 23rd, 2010, 23:33
Contents of /etc/ppp/ppp.linkup
freebsd# cat /etc/ppp/ppp.linkup
internode:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
shell /etc/rc.d/named restart
Contents of /etc/ppp/ppp.conf
freebsd# cat /etc/ppp/ppp.conf
################################################## ###############
# PPP Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.11.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
################################################## ###############
default:
set log Phase tun command
set ifaddr 10.0.0.1/0 10.0.0.2/0
=======
set log Phase Chat LCP IPCP CCP tun command
ident user-ppp VERSION (built COMPILATIONDATE)
# Ensure that "device" references the correct serial port
# for your modem. (cuau0 = COM1, cuau1 = COM2)
#
set device /dev/cuau1
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set timeout 180 # 3 minute idle timer (the default)
enable dns # request DNS info (for resolv.conf)
papchap:
#
# edit the next three lines and replace the items in caps with
# the values which have been assigned by your ISP.
#
set phone PHONE_NUM
set authname USERNAME
set authkey PASSWORD
internode:
set device PPPoE:rl0
set authname USERNAME
set authkey PASSWORD
set dial
set login
add default HISADDR
enable dns
freebsd#
I'm not sure what you mean by "bouncing my ppp connection" nor how I would go about that to answer your question.
Regards,
Michael
Ruler2112
February 23rd, 2010, 23:50
/etc/rc.d/ppp stop will deactivate the connection and the commands in ppp.linkdown should run. Similarly, /etc/rc.d/ppp start will start and connection/authentication, running the commands in ppp.linkup once the connection is fully active. You can check your logs to see if named is restarting to verify if this mechanism is working correctly.
Your config looks OK to me, but I'm far from an expert.
hiatek
February 24th, 2010, 00:15
freebsd# /etc/rc.d/ppp start
Starting PPP profile: internodeLoading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for tun0
/etc/pf.conf:44: could not parse host specification
no IP address found for tun0
/etc/pf.conf:45: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
freebsd#
Are those "=" (equals signs) meant to be there (in /etc/ppp/ppp.conf) I wonder?
EDIT:
I added a comment infront of the equals signs in /etc/ppp/ppp.conf
I now have the following in /var/log/messages
freebsd# tail /var/log/messages
Feb 24 10:28:29 freebsd kernel: ifa_del_loopback_route: deletion failed
Feb 24 10:28:29 freebsd kernel: tun0: link state changed to DOWN
Feb 24 10:28:52 freebsd kernel: tun0: link state changed to UP
Feb 24 10:28:55 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 3) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 4) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: 0.0.0.0/0: Change route failed: errno: No such process
freebsd#
I think we may be getting closer to solving it, I have no idea what the correct syntax is for that file to know if I've bodged it though, any more clues?
Ruler2112
February 24th, 2010, 19:09
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for tun0
/etc/pf.conf:44: could not parse host specification
no IP address found for tun0
/etc/pf.conf:45: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
That right there is why it wasn't loading. The = signs did indeed cause a problem with ppp. Since ======= isn't a valid config parameter in ppp.conf, it thought it was a label (like internode or papchap), but since it was missing the colon at the end, didn't know what to do with it. Because it was confused, ppp didn't assign an IP to the virtual interface. Since there was no IP on the interface, pf couldn't determine what it was and refused to load the rule set. You solved the problem on your own, but I thought you'd like to know what was going on.
I now have the following in /var/log/messages
freebsd# tail /var/log/messages
Feb 24 10:28:29 freebsd kernel: ifa_del_loopback_route: deletion failed
Feb 24 10:28:29 freebsd kernel: tun0: link state changed to DOWN
Feb 24 10:28:52 freebsd kernel: tun0: link state changed to UP
Feb 24 10:28:55 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 3) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 4) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: 0.0.0.0/0: Change route failed: errno: No such process
I think we may be getting closer to solving it, I have no idea what the correct syntax is for that file to know if I've bodged it though, any more clues?
The 'change route failed' message looks exactly like what I get when my DSL connection authenticates. (I've tried to find a reason the errors, but have not been able to; since it doesn't seem to cause problems, I've ignored it.) It appears that your DSL connection is now working properly - we just have to chase down the problem in ppp.linkup.
Please post your current ppp.linkup file - ppp isn't running the commands (and loading your pf rules) because it doesn't recognize the configuration in there as valid config parameters and thinks the lines represent labels instead.
Ruler2112
February 24th, 2010, 19:36
I just remembered something that caught me when I first set up my DSL line. The ppp.linkup file has the first line as the label, matching what is in ppp.conf for your connection. The lines within that block need to have at least one space in front of them! The file I posted above doesn't have them in; either the code tag doesn't support leading spaces or I removed them when I posted the file. The latter is more likely, due to the fact that my emulator I admin my BSD box with doesn't add CRs at the end of each line and instead spits out one continuous line when I copy from it, spaces and all. (I always have to remove the spaces from the output I post and add line breaks because of this.)
hiatek
February 26th, 2010, 00:14
Thankyou so much,
I can now boot the machine and check with grc.com and my rules appear to be loading.
pfctl -sr seems to look correct also.
Other functions on the server appear to be unharmed also (well a really quick check anyway).
Do I require the name server part of /etc/ppp/ppp.linkup?
I guess it won't hurt to leave it anyway.
I don't have a corresponding opposite to ppp.linkup. Do I require one if I dont plan on halting the connection manually?
Thanks heaps for the help.
Regards,
Michael.
Ruler2112
February 26th, 2010, 00:53
Thankyou so much,
I can now boot the machine and check with grc.com and my rules appear to be loading.
pfctl -sr seems to look correct also.
Great!
Do I require the name server part of /etc/ppp/ppp.linkup?
I guess it won't hurt to leave it anyway.
Do you have a name assigned to your box that's resolvable from the internet or do you use your local box as a resolver? If either is true, you should leave it. If neither is true, you really shouldn't need it - try disabling it and test.
I don't have a corresponding opposite to ppp.linkup. Do I require one if I dont plan on halting the connection manually?
Only if you want to load different firewall rules or execute other commands when your connection terminates. You can write out to a log file, spit a message out to the screen, or anything that you can do from a prompt really using the shell command in the ppp.linkdown file. I have the ppp.linkdown file on my system, but it's empty.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.
0