PF PF is loaded and when the computer restarts, you lose, help.

[teo]

Following the FreeBSD Handbook, I added this to the file /etc/rc.conf:

# ee /etc/rc.conf
  pf_enable="YES"
  pf_rules="/path/to/pf.conf"

and then did this

# kldload pf

and reboot ( # reboot). Once the system had restarted, it gave this result:

# pfctl -e
pfctl: /dev/pf: No such file or directory
#

 

[wblock@]

What version of FreeBSD? Do you have a custom kernel or entries in /etc/src.conf?

 

[teo]

What version of FreeBSD? Do you have a custom kernel or entries in /etc/src.conf?

FreeBSD 10.

# uname -a
FreeBSD localhost 10.0-RELEASE-p9 FreeBSD 10.0-RELEASE-p9 #0: Mon Sep 15 14:32:29 UTC 2014  root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

I have the GENERIC kernel.

I have no entry in the file /etc/src.conf.

 

[wblock@]

Check /etc/rc.conf, making sure it says

pf_enable="YES"

(not "enabled").

 

[teo]

I said above that I added to the file /etc/rc.conf:

# ee /etc/rc.conf
pf_enable="YES"
pf_rules="/path/to/pf.conf"
#

 

[wblock@]

I saw that. Some people retype rather than cut and paste. Which did you use?

 

[teo]

Copy the results showing the console with the mouse.

 

[wblock@]

Wait, the pf() module must be loaded after a reboot. Do that before running pfctl().

 

[teo]

Do that before running pfctl().

pfctl()? I didn't execute pfctl(), the only thing that was run was kldload pf. And then I rebooted the system.

 

[protocelt]

I said above that you add to the file /etc/rc.conf

# ee /etc/rc.conf
pf_enable="YES"
pf_rules="/path/to/pf.conf"
#

Just to cover the bases here, you've modified

pf_rules="path/to/pf.conf"

to an existing path, correct? For example:

pf_enable="YES"
pf_rules="/etc/pf.conf"

 

[wblock@]

# pfctl -e
pfctl: /dev/pf: No such file or directory
#

That was what you said. Loading the module before rebooting is pointless, it needs to be loaded after a reboot.

 

[teo]

Just to cover the bases here, you've modified pf_rules="path/to/pf.conf" to an existing path, correct? For example:

pf_enable="YES"
pf_rules="/etc/pf.conf"

To which file should

pf_rules="/etc/pf.conf"

be added?

 

[usdmatt]

I think protocelt was asking to make sure that the /path/to/pf.conf you have in /etc/rc.conf actually points to a valid file containing pf rules.

The two lines you have in /etc/rc.conf look correct. However, it may not load if the rule file you specified doesn't exist or has errors. What happens if you try and load the rule file you've specified in rc.conf manually? pfctl -f /path/to/pf.conf Or, are there any interesting messages output during the last stage of boot when it tries to start pf?

 

[teo]

Or, are there any interesting messages output during the last stage of boot when it tries to start pf?

I was following what the FreeBSD Handbook says, when I restart the system it returns to the same. It can be charged again and again with this command kldload pf, but when it restarts is lost.

 

[wblock@]

Please point to the URL in the Handbook that tells you to load the pf() module and then reboot. That makes no sense.

Most people would just load the module in /boot/loader.conf.

 

[usdmatt]

I don't think you need to load the pf module manually (it's not mentioned in the handbook at least)

It seems to me that for pf to load on boot, you need to specify a rule file containing your pf rules, using the

pf_rules=""

option.

I'm starting to get the feeling that the OP hasn't created a file containing any rules, and so pf is failing to start on boot (it probably does a rule check first, errors and never loads the module. In fact the handbook clearly states "PF will not start if it cannot find its ruleset configuration file").

It looks like the rc.conf lines have been blindly copied from the handbook and pf is trying to open /path/to/pf.conf, which almost certainly doesn't exist.

OP, can you confirm you actually have a file containing valid pf rules, and the

pf_rules=""

option in rc.conf points at it?

Just because you load the pf module manually doesn't necessarily mean it will be loaded on reboot. The system doesn't automatically "return to the same"

Edit: Reading through the handbook, it mentions that by default pf will use a pre-configured set of rules in /etc/pf.conf, so if you want to use those just remove the pf_rules line from rc.conf completely.

 

[teo]

The system will load another look with this command, and the output is this, the problem is to reboot.

# pfctl -d
pfctl: /dev/pf: No such file or directory
#

The charge:

# kldload pf
#

Then I checked this present:

# kldstat
Id Refs Address  Size  Name
1  95 0xc0400000 1276c0c  kernel
2  1 0xc1677000 36b0  snd_driver.ko
3  2 0xc167b000 5b74  snd_vibes.ko
4  2 0xc1681000 4d74  snd_via82c686.ko
5  2 0xc1686000 5698  snd_t4dwave.ko
6  4 0xc168c000 2d14  snd_spicds.ko
7  2 0xc168f000 6b7c  snd_solo.ko
8  5 0xc1696000 4fa8  snd_sbc.ko
9  2 0xc169b000 4fbc  snd_sb8.ko
10  2 0xc16a0000 52ec  snd_sb16.ko
11  2 0xc16a6000 11b74  snd_neomagic.ko
12  3 0xc16b8000 e564  snd_mss.ko
13  2 0xc16c7000 a318  snd_maestro3.ko
14  2 0xc16d2000 9300  snd_maestro.ko
15  2 0xc16dc000 48b0  snd_fm801.ko
16  2 0xc16e1000 5bac  snd_ess.ko
17  2 0xc16e7000 849c  snd_envy24ht.ko
18  2 0xc16f0000 96a0  snd_envy24.ko
19  2 0xc16fa000 b820  snd_ds1.ko
20  2 0xc1706000 5574  snd_cs4281.ko
21  2 0xc170c000 6edc  snd_atiixp.ko
22  2 0xc1713000 5af8  snd_als4000.ko
23  2 0xc1719000 6724  snd_ad1816.ko
24  1 0xc420e000 29000  vboxguest.ko
25  1 0xc4243000 2000  vboxvideo.ko
26  1 0xc4245000 15000  drm.ko
27  1 0xc47ea000 34000  pf.ko
#

This system loaded:

# pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
#

When you restart the system PF is lost.

 

[usdmatt]

I think we're going round in circles here.

Just because you load the pf module with kldload, and it shows up as enabled with pfctl, doesn't mean it will magically be there on reboot.

What exactly do you have in your /etc/rc.conf at the moment?

 

[teo]

What exactly do you have in your /etc/rc.conf at the moment?

The system configuration:

# ee /etc/rc.conf

hostname="localhost"
keymap="spanish.iso15.acc.kbd"
ifconfig_em0="DHCP"
ifconfig_em0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
moused_enable="YES"
hald_enable="YES"
dbus_enable="YES"
slim_enable="YES"

pf_enable="YES"
pf_rules="/path/to/pf.conf"


ntpd_enable="YES"
moused_enable="YES"
dumpdev="NO"

vboxguest_enable="YES"
vboxservice_enable="YES"

font8x8="iso15-8x8"
font8x14="iso15-8x14"
font8x16="iso15-8x16"

 

[usdmatt]

Right, so you've configured the system to load pf rules from /path/to/pf.conf:

pf_rules="/path/to/pf.conf"

Can I assume then, that you have created the file /path/to/pf.conf, and that it contains your pf rules?

If not, the FreeBSD boot process is going to realise that file doesn't exist, and not bother loading the pf module. As I said in an earlier message, the handbook clearly states:

PF will not start if it cannot find its ruleset configuration file.

 

[teo]

You see, they are the results of the system, what the FreeBSD handbook says and I followed what it says there.

Do not add additional options. Described in pfctl(8), they can be passed to PF when it is started. Add this entry to /etc/rc.conf and specify any required flags between the two quotes (""):

pf_flags=""   # additional flags for pfctl startup

They said on the forums that it gave problems that are not important.

 

[protocelt]

I think protocelt was asking to make sure that the /path/to/pf.conf you have in /etc/rc.conf actually points to a valid file containing pf rules.
pf?
[...]

Sorry about that. I should have worded that reply better but yes, that is exactly what I meant to say.

 

[teo]

What PF rules refer to this [...]? Where should [...] go?

pf_rules="/path/to/pf.conf"

is in the file /etc/rc.conf..

[Attempted translation -- mod.]

 

[protocelt]

What PF rules refer to this [...]? Where should [...] go?

Please ignore that. It was a mistake on my part replying.

 

[teo]

Thank you very much for answering, security is very important in a system, we continue tomorrow, hopefully we can with PF.