pf requires reload after boot

J

Jake Roberts

I have built a router out of FreeBSD 12. I have unbound, dhcpd, and pf configured. Everything works, except that I have to issue pfctl -f /etc/pf.conf after boot, or pf blocks all traffic. The log file reflects this. After reloading the the rules everything works fine. What would cause this? I feel like I've missed something silly, but darned if I can find it.

rc.conf:

Code: 
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="shadowfax.mirkwood.local"
ifconfig_igb0="DHCP"
sshd_enable="YES"
ntpd_enable="YES"
ntpd_flags="-g"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
pf_enable="YES"
pf_program="/sbin/pfctl"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_file="/var/log/pflog"
gateway_enable="YES"
ifconfig_igb1="inet 10.0.0.1 netmask 255.255.255.0"
unbound_enable="YES"
dhcpd_enable="YES"
 
Jake Roberts said:
I have built a router out of FreeBSD 12. I have unbound, dhcpd, and pf configured. Everything works, except that I have to issue pfctl -f /etc/pf.conf after boot, or pf blocks all traffic. The log file reflects this. After reloading the the rules everything works fine. What would cause this? I feel like I've missed something silly, but darned if I can find it.

rc.conf:

Code: 
ifconfig_igb0="DHCP"
Click to expand...
Looking at the above ifconfig line, it seems at least one of your interfaces is configured dynamically. If that is the case, your /etc/pf.conf needs to take into account that the address of that interface might change, otherwise /etc/pf.conf requires reloading each time the address has changed. To make pf aware of the fact that the interface address may change, locate all occurances where you are using the interface name to refer to the interface's address and surround the interface name with parentheses.

From pf.conf(5):
Host name resolution and interface to address translation are done at ruleset load-time. When the address of an interface (or host name) changes (under DHCP or PPP, for instance), the ruleset must be reloaded for the change to be reflected in the kernel. Surrounding the interface name (and optional modifiers) in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with nat.
Click to expand...
 
You must log in or register to reply here.
Back
Top