PF doesn't load rules on boot anymore

H

hiatek

PF will not load the rules I have set in /etc/pf.conf after boot/reboot.
If I run
pfctl -d
pfctl -e -f /etc/pf.conf
my rules load correctly.

If I attempt to pfctl -e -f /etc/pf.conf without first pfctl -d I'm informed that pf is already running.

My /etc/rc.conf is as follows
Code: 
freebsd# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Fri Oct 30 07:49:53 2009
# Created: Fri Oct 30 07:49:53 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="internal.local"
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
keymap="us.iso"

# - Enable SSH
sshd_enable="YES"

# - PPPoE Connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="internode"

# - Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="nfe0"

# - Enable DNS Server
named_enable="YES"

# - PF Firewall
pf_enable="YES"         # Enable PF Firewall
pf_rules="/etc/pf.conf" # Rules definition file for PF
pf_flags=""             # Additional flags for pfctl startup
pflog_enable="YES"      # Start pflogd(8)
#pflog_file="/var/log/pflog" # Where pflogd should store the log file
pflog_logfile="/var/log/pflog"
pflog_flags=""          # Additional pflog flags for startup

# - Squid Web-Cache
squid_enable="YES"

# - Disable Sendmail
sendmail_enable="NO"
#sendmail_submit_enable="NO"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"

# - Postfix MTA
postfix_enable="YES"

# - Dovecot
dovecot_enable="YES"
freebsd#


Regarding the pflog_logfile line, I looked at the handbook (after noticing this issue) and it appears like the second uncommented line, whereas I had been running with the first (commented) line for quite some time without (a noticable) issue. Either way I have the same issue regardless of which option I use. Did this get changed at some point or did I have it wrong all along?

I can also post my /etc/pf.conf if need be although it "should" be using the same file when used manually or via rc.conf.

I have tried pfctl -nf /etc/pf.conf which runs silently (does not show any errors).

Output of uname -a is as follows:
Code: 
freebsd# uname -a
FreeBSD freebsd.internal.local 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan  5 16:02:27 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

Are there any log files I should check or commands I can run to narrow this down?
 
Remove everything except the pf_enable and pflog_enable.
 
Just to clarify, when you say everything, you mean everything regarding pf in rc.conf?
Or do you mean everything in the rc.conf file pf related or no?


Regards,
Michael
 
/etc/rc.conf now looks like the following:
Code: 
freebsd# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Fri Oct 30 07:49:53 2009
# Created: Fri Oct 30 07:49:53 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="freebsd.internal.local"
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
keymap="us.iso"

# - Enable SSH
sshd_enable="YES"

# - PPPoE Connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="internode"

# - Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="nfe0"

# - Enable DNS Server
named_enable="YES"

# - PF Firewall
pf_enable="YES"         # Enable PF Firewall
#pf_rules="/etc/pf.conf" # Rules definition file for PF
#pf_flags=""            # Additional flags for pfctl startup
pflog_enable="YES"      # Start pflogd(8)
#pflog_file="/var/log/pflog" # Where pflogd should store the log file
#pflog_logfile="/var/log/pflog"
#pflog_flags=""         # Additional pflog flags for startup

# - Squid Web-Cache
squid_enable="YES"

# - Disable Sendmail
sendmail_enable="NO"
#sendmail_submit_enable="NO"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"

# - Postfix MTA
postfix_enable="YES"

# - Dovecot
dovecot_enable="YES"

I still have the same issue, thanks for the help so far.


Regards,
Michael
 
After I have manually disabled and enabled using the command mentioned earlier:

Code: 
freebsd# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
.
freebsd#

If I reboot and run # /etc/rc.d/pf start
I receive the same output

It does have the end result of loading the rules (when I test using grc.com shields up, the expected ports are stealthed and defined ports are unblocked).

I guess its a matter of doing this at boot, which has got me miffed why its failing now.
 
So I comment out everything to do with pf in /etc/rc.conf and create /etc/rc.local?
It doesn't exist at the moment.

Does this shut things down correctly when using the shutdown command?
I might be totally off track but is that what the rc.conf does?

Thanks again.

EDIT: I have tried commenting out pf related settings in /etc/rc.conf.
Created the /etc/rc.local
I then added the following line
Code: 
pfctl -ef /etc/pf.conf
Just having
pfctl -f /etc/pf.conf
doesn't appear to work on the command line either so I added the -e also.

Sorry this doesn't seem to resolve my issue.


Regards,
Michael
 
It appears to be the same result as my previous posts edit. The rules dont appear to be loading.

It does appear to be starting as before though. If I attempt to manually start it, I'm told about No ALTQ support in kernel and pfctl: pf already enabled.

If I then manually disable and enable telling it my pf.conf location all is rosy (well except it auto loading the rules for me).
 
hiatek said:
After I have manually disabled and enabled using the command mentioned earlier:

Code: 
freebsd# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
.
freebsd#

If I reboot and run # /etc/rc.d/pf start
I receive the same output
Click to expand...

There's no error showing. There's only a message that there's no ALTQ support. This is normal if you use the pf module.
 
If you're filtering on the ppp interface, do you have parentheses around that interface variable throughout your ruleset (pass in on ($ppp_if), etc.)?
 
Does your pf rule set have any domain names in it?

I just had a similar issue where it would not load rules at boot time.
Turns out PF was trying to do DNS lookups on some domains I had in the rule set, but the network was not fully up yet.

I switched the domains to the IP's and now it loads fine at boot.
 
I have a ppp connection and in /etc/ppp/ppp.linkup is:

Code: 
papchap:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.rules
shell /etc/rc.d/named restart

Perhaps your firewall is loading the rules fine, but when the link comes up, it doesn't refresh them to reflect the new status of the virtual interface?
 
My /etc/pf.conf
Code: 
freebsd# cat /etc/pf.conf
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
# Revised by ... on 16/02/2010


# macros
ext_if="tun0"
int_if="nfe0"

win_host="192.168.0.5"

tcp_services="{ 22 }"
icmp_types="echoreq"

# tables
# ssh violations
table <ssh-violations> persist file "/etc/ssh-violations.txt"

#comp3="192.168.0.3"

# options
set block-policy drop
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# - Redirections
# - FTP proxy to local machine removed because ftp downloads would not work
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# - Squid Redirection
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# Bittorent virtual server/Port Forward
rdr on $ext_if proto tcp from any to ($ext_if) port 6881 -> 192.168.0.100 port 6881
# - Windows Server pptp VPN redirect
rdr pass on $ext_if inet proto gre from any to $ext_if -> $win_host
rdr pass on $ext_if inet proto tcp from any to $ext_if port 1723 -> $win_host

# filter rules
block in all
pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# Mail Filter
pass in on $ext_if proto tcp from any to any port 25 flags S/SA

# Bittorent Filter
pass in quick on $ext_if proto tcp from any to 192.168.0.100 port 6881
# Squid Filters
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
        pass out on $ext_if inet proto tcp from any to any port www keep state
#pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
#    synproxy state

# Windows pptp VPN Server Filter
pass out quick on $int_if inet proto gre from any to $win_host keep state
pass out quick on $int_if inet proto tcp from any to $win_host port 1723 flags S/SA keep state

# Allow ping
pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state

#Block hosts discovered as SSH violations
block drop in quick from <ssh-violations> to any
freebsd#
 
I dont appear to have a /etc/ppp/ppp.linkup
I do have a /etc/ppp/ppp.conf

Can I make said changes to this file?


Regards,
Michael
 
No, you need to create a /etc/ppp/ppp.linkup. You probably want a /etc/ppp/ppp.linkdown too, that does the opposite of linkup.
 
So I create the file and then put the contents in the file and thats it?
Do I need to reference it from anywhere else, like /etc/rc.conf?

EDIT:
I have attempted to create the file /etc/ppp/ppp.linkup, put the contents in
Code: 
papchap:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
shell /etc/rc.d/named restart

I also tried changing papchap: to internode:.
I'm not sure if this has any relevance, neither works for me though. Rules still fail to load on reboot.
 
The first line in ppp.linkup should reflect the configuration name in ppp.conf. For example, my ppp.conf has in it:

Code: 
papchap:
set authname blahblahblah
set authkey yakyakyak
.....

Here's an easy way to tell if it's working or not. When you bounce your ppp connection, does named restart? If not, there's something not working right in your ppp config. (It's a PITA to get right the first time... whoever came up with PPPoE and virtual interfaces obviously never had to use them IRL! Gimme a straight ethernet connection coming out of the modem device any day...)
 
Contents of /etc/ppp/ppp.linkup
Code: 
freebsd# cat /etc/ppp/ppp.linkup
internode:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
shell /etc/rc.d/named restart

Contents of /etc/ppp/ppp.conf
Code: 
freebsd# cat /etc/ppp/ppp.conf
#################################################################
# PPP  Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.11.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#################################################################

default:
        set log Phase tun command
        set ifaddr 10.0.0.1/0 10.0.0.2/0
=======
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)

 # Ensure that "device" references the correct serial port
 # for your modem. (cuau0 = COM1, cuau1 = COM2)
 #
 set device /dev/cuau1

 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
           \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 set timeout 180                        # 3 minute idle timer (the default)
 enable dns                             # request DNS info (for resolv.conf)

papchap:
 #
 # edit the next three lines and replace the items in caps with
 # the values which have been assigned by your ISP.
 #

 set phone PHONE_NUM
 set authname USERNAME
 set authkey PASSWORD

internode:
        set device PPPoE:rl0
        set authname USERNAME
        set authkey PASSWORD
        set dial
        set login
        add default HISADDR
        enable dns
freebsd#

I'm not sure what you mean by "bouncing my ppp connection" nor how I would go about that to answer your question.


Regards,
Michael
 
[cmd=]/etc/rc.d/ppp stop[/cmd] will deactivate the connection and the commands in ppp.linkdown should run. Similarly, [cmd=]/etc/rc.d/ppp start[/cmd] will start and connection/authentication, running the commands in ppp.linkup once the connection is fully active. You can check your logs to see if named is restarting to verify if this mechanism is working correctly.

Your config looks OK to me, but I'm far from an expert.
 
Code: 
freebsd# /etc/rc.d/ppp start
Starting PPP profile: internodeLoading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for tun0
/etc/pf.conf:44: could not parse host specification
no IP address found for tun0
/etc/pf.conf:45: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
freebsd#

Are those "=" (equals signs) meant to be there (in /etc/ppp/ppp.conf) I wonder?

EDIT:
I added a comment infront of the equals signs in /etc/ppp/ppp.conf

I now have the following in /var/log/messages
Code: 
freebsd# tail /var/log/messages
Feb 24 10:28:29 freebsd kernel: ifa_del_loopback_route: deletion failed
Feb 24 10:28:29 freebsd kernel: tun0: link state changed to DOWN
Feb 24 10:28:52 freebsd kernel: tun0: link state changed to UP
Feb 24 10:28:55 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 3) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 4) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: 0.0.0.0/0: Change route failed: errno: No such process
freebsd#

I think we may be getting closer to solving it, I have no idea what the correct syntax is for that file to know if I've bodged it though, any more clues?
 
hiatek said:
Code: 
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for tun0
/etc/pf.conf:44: could not parse host specification
no IP address found for tun0
/etc/pf.conf:45: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
Click to expand...

That right there is why it wasn't loading. The = signs did indeed cause a problem with ppp. Since ======= isn't a valid config parameter in ppp.conf, it thought it was a label (like internode or papchap), but since it was missing the colon at the end, didn't know what to do with it. Because it was confused, ppp didn't assign an IP to the virtual interface. Since there was no IP on the interface, pf couldn't determine what it was and refused to load the rule set. You solved the problem on your own, but I thought you'd like to know what was going on.


hiatek said:
I now have the following in /var/log/messages
Code: 
freebsd# tail /var/log/messages
Feb 24 10:28:29 freebsd kernel: ifa_del_loopback_route: deletion failed
Feb 24 10:28:29 freebsd kernel: tun0: link state changed to DOWN
Feb 24 10:28:52 freebsd kernel: tun0: link state changed to UP
Feb 24 10:28:55 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 3) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 4) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: 0.0.0.0/0: Change route failed: errno: No such process

I think we may be getting closer to solving it, I have no idea what the correct syntax is for that file to know if I've bodged it though, any more clues?
Click to expand...

The 'change route failed' message looks exactly like what I get when my DSL connection authenticates. (I've tried to find a reason the errors, but have not been able to; since it doesn't seem to cause problems, I've ignored it.) It appears that your DSL connection is now working properly - we just have to chase down the problem in ppp.linkup.

Please post your current ppp.linkup file - ppp isn't running the commands (and loading your pf rules) because it doesn't recognize the configuration in there as valid config parameters and thinks the lines represent labels instead.
 
You must log in or register to reply here.
Back
Top