pf not loading rules on reboot

[Hornpipe2]

pf is not loading my ruleset from /etc/pf.conf on startup. I have to manually execute
[cmd=]pfctl -F all -f /etc/pf.conf[/cmd]
at each startup to enable my nat rules for the servers behind my firewall.

Here's my rc.conf, it has the relevant pf_enable and pf_rules lines in it.

# Enable gateway internet
gateway_enable="YES"
hostname="greg-kennedy.com"
# set up internet devices
ifconfig_rl0="inet 192.168.1.1 netmask 0xffffff00"
ifconfig_sis0="DHCP"
# telnet, finger, etc
inetd_enable="NO"
keymap="us.dvorak"
sshd_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="rl0"
ntpd_enable="YES"
ntpd_flags="-g"
apache_enable="YES"
opendd_enable="YES"
mysql_enable="YES"
svnserve_enable="YES"
svnserve_flags="-d --listen-port=3690 --listen-host=0.0.0.0"
svnserve_data="/usr/local/svn/data"

# firewall
[B]pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"[/B]
miniupnpd_enable="YES"
syslogd_flags="-s -s"              # Flags to syslogd (if enabled).

rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_flags="-r"

Any ideas? My system is 8.1-RELEASE-p0.

 

[DutchDaemon]

Are there hostnames in your pf.conf? When pf is started and resolving is not yet available, it may refuse to load the ruleset. This should be visible in [cmd=]dmesg -a[/cmd] or in a verbose boot (boot menu).

 

[Hornpipe2]

Well I did find this:\

Enabling pf
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for sis0
/etc/pf.conf:39:
could not parse host specification

pfctl:
Syntax error in config file: pf rules not loaded

And here is line 39:

pass in on $ext_if inet proto tcp from any to $ext_if \
    port $tcp_services

Not sure what part of that qualifies as a "host specification", these are my macros:

# macros
int_if="rl0"
ext_if="sis0"

tcp_services="{ 22, 80, 8000 }"
icmp_types="echoreq"

Is 'egress' the workaround for this?

 

[wblock@]

Does sis0 have an IP address by the time pf runs?

 

[Hornpipe2]

No, it doesn't seem to have one - that's dhcp assigned. I was able to fix it though by wrapping the second $ext_if in parens.

pass in on $ext_if inet proto tcp from any to ($ext_if) \
    port $tcp_services

Thanks for the help! I may post again with questions about hardening my pf.conf but this seems like a good start.

 

[wblock@]

There's the SYNCDHCP option for /etc/rc.conf to make the startup wait for a DHCP address:

ifconfig_sis0="SYNCDHCP"

 

[DutchDaemon]

Hornpipe, be so kind to re-read http://forums.freebsd.org/showthread.php?t=8816 and use the proper formatting tags. The [file] tag is for file/path names, the [code] tag is for file contents and system output.