PF pf does not load ruleset after reboot

Hello all!
I have been searching the forum and the web, and I have not found the solution to the problem with pf firewall.

I run FreeBSD version:
Code:
freebsd-version
11.0-RELEASE-p5

The problem is that the ruleset is not loaded at reboot.
If I reboot and run:
pfctl -sr
No output from command.

If I run:
service pf restart
Ruleset is loaded

Or if I run:
pfctl -f /etc/pf.conf
Ruleset is loaded.

My rc.config has the following for pf:
Code:
pf_enable="YES"
pflog_enable="YES"
I have tried using:
Code:
pf_rules="/etc/pf.conf"
I get the same result, not read and is read with restart or -f flag.
I have also tried using:
Code:
pf_flags="-f /etc/pf.conf"
I get the same result again, not read and is read with restart or -f flag.

If I just test my conf file:
pfctl -nvf /etc/pf.conf
There is no errors.

I find no errors in log files either.

pf is running, if I run:
Code:
pfctl -e
pfctl: pf already enabled

I don't know how to proceed?
Many thanks in advance!

Best regards
Marcus
 
This sometimes happens when PF tries to apply a rule to an interface that's not entirely up yet. Are you using DHCP on one of the interfaces?

Note that the file is called /etc/rc.conf, not /etc/rc.config!
 
/etc/rc.config was just a misstype, I know it is called /etc/rc.conf
Interface igb0 is configured with DHCP and igb1 is with static address.
/etc/rc.conf
Code:
ifconfig_igb0="DHCP"
ifconfig_igb1="inet 192.168.67.35 netmask 255.255.255.0"
defaultrouter=""

I have looked in /etc/rc.d/pf and that file says:
Code:
# REQUIRE: FILESYSTEMS netif pflog pfsync
Does that not mean that the service netif has to be started before pf service?
This is a "special" comment that has meaning, right? (New to FreeBSD, curious and eager to learn!)
I suppose that the service can be running and interfaces hasn't come up properly jet.

How do I make sure that both interfaces are up before pf is started?
The way I understood it was the # REQUIRE line.

Thanks in advance!!
 
I have looked in /etc/rc.d/pf and that file says:
Code:
# REQUIRE: FILESYSTEMS netif pflog pfsync
Does that not mean that the service netif has to be started before pf service?
It does but that doesn't mean it finished initializing.

How do I make sure that both interfaces are up before pf is started?
Try this:
Code:
ifconfig_igb0="SYNCDHCP"
The SYNC will make sure it actually receives an IP address before continuing.

The way I understood it was the # REQUIRE line.
It only tells the system something needs to start, not that it has to finish or succeed.

Code:
BUGS
     The ``REQUIRE'' keyword is misleading: It doesn't describe which daemons
     have to be running before a script will be started.  It describes which
     scripts must be placed before it in the dependency ordering.  For
     example, if your script has a ``REQUIRE'' on ``named'', it means the
     script must be placed after the ``named'' script in the dependency
     ordering, not necessarily that it requires named(8) to be started or
     enabled.
See rcorder(8).
 
I ran into the same problem on a gateway. My current solution includes this simple script within /usr/local/etc/rc.d:
Code:
# cat /usr/local/etc/rc.d/reloadpf.sh
#!/bin/sh

if [ `pfctl -sr | wc -l` -lt 1 ]; then
                pfctl -f /etc/pf.conf
fi

And this dhclient-exit-hook:
Code:
# cat /etc/dhclient-exit-hooks
[ ."$reason" = .BOUND ] && echo "reloading PF configuration after DHCP BIND" && pfctl -f /etc/rc.conf
The echo isn't visible on the console but is added to /var/log/messages
dhclient-enter/exit-hooks are actually quite powerful, as dhclient-script(8) offers relatively fine-grained "$reason"s and variables for all the important values it sets/modifies, so these can be used to inject configurations in other services or configurations.


Try this:
Code:
ifconfig_igb0="SYNCDHCP"
The SYNC will make sure it actually receives an IP address before continuing.

Does SYNCDHCP have a timeout?
I remember a (stupid) default on debian linux, which will let the box waiting forever until a DHCPOFFER was received. Really not what you want on a gateway/router/firewall, especially if there are other egress connections available...
 
Thank you, SirDice, for your good explanation!
I got a better understanding of service processes now.
Your solution worked with:
Code:
ifconfig_igb0="SYNCDHCP"
 
Back
Top