# PF doesn't load rules on boot anymore



## hiatek (Feb 22, 2010)

PF will not load the rules I have set in */etc/pf.conf* after boot/reboot.
If I run 
*pfctl -d
pfctl -e -f /etc/pf.conf*
my rules load correctly.

If I attempt to *pfctl -e -f /etc/pf.conf* without first *pfctl -d* I'm informed that pf is already running.

My */etc/rc.conf* is as follows

```
freebsd# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Fri Oct 30 07:49:53 2009
# Created: Fri Oct 30 07:49:53 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="internal.local"
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
keymap="us.iso"

# - Enable SSH
sshd_enable="YES"

# - PPPoE Connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="internode"

# - Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="nfe0"

# - Enable DNS Server
named_enable="YES"

# - PF Firewall
pf_enable="YES"         # Enable PF Firewall
pf_rules="/etc/pf.conf" # Rules definition file for PF
pf_flags=""             # Additional flags for pfctl startup
pflog_enable="YES"      # Start pflogd(8)
#pflog_file="/var/log/pflog" # Where pflogd should store the log file
pflog_logfile="/var/log/pflog"
pflog_flags=""          # Additional pflog flags for startup

# - Squid Web-Cache
squid_enable="YES"

# - Disable Sendmail
sendmail_enable="NO"
#sendmail_submit_enable="NO"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"

# - Postfix MTA
postfix_enable="YES"

# - Dovecot
dovecot_enable="YES"
freebsd#
```


Regarding the pflog_logfile line, I looked at the handbook (after noticing this issue) and it appears like the second uncommented line, whereas I had been running with the first (commented) line for quite some time without (a noticable) issue. Either way I have the same issue regardless of which option I use. Did this get changed at some point or did I have it wrong all along?

I can also post my /etc/pf.conf if need be although it "should" be using the same file when used manually or via rc.conf.

I have tried *pfctl -nf /etc/pf.conf* which runs silently (does not show any errors).

Output of uname -a is as follows:

```
freebsd# uname -a
FreeBSD freebsd.internal.local 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan  5 16:02:27 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
```

Are there any log files I should check or commands I can run to narrow this down?


----------



## SirDice (Feb 22, 2010)

Remove everything except the *pf_enable* and *pflog_enable*.


----------



## hiatek (Feb 22, 2010)

Just to clarify, when you say everything, you mean everything regarding pf in rc.conf?
Or do you mean everything in the rc.conf file pf related or no?


Regards,
Michael


----------



## SirDice (Feb 22, 2010)

hiatek said:
			
		

> Just to clarify, when you say everything, you mean everything regarding pf in rc.conf?


Yes.


----------



## hiatek (Feb 22, 2010)

*/etc/rc.conf* now looks like the following:

```
freebsd# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Fri Oct 30 07:49:53 2009
# Created: Fri Oct 30 07:49:53 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
gateway_enable="YES"
hostname="freebsd.internal.local"
ifconfig_rl0="inet 192.168.1.2 netmask 255.255.255.0"
ifconfig_nfe0="inet 192.168.0.1 netmask 255.255.255.0"
inetd_enable="NO"
keymap="us.iso"

# - Enable SSH
sshd_enable="YES"

# - PPPoE Connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="internode"

# - Enable DHCP Server
dhcpd_enable="YES"
dhcpd_ifaces="nfe0"

# - Enable DNS Server
named_enable="YES"

# - PF Firewall
pf_enable="YES"         # Enable PF Firewall
#pf_rules="/etc/pf.conf" # Rules definition file for PF
#pf_flags=""            # Additional flags for pfctl startup
pflog_enable="YES"      # Start pflogd(8)
#pflog_file="/var/log/pflog" # Where pflogd should store the log file
#pflog_logfile="/var/log/pflog"
#pflog_flags=""         # Additional pflog flags for startup

# - Squid Web-Cache
squid_enable="YES"

# - Disable Sendmail
sendmail_enable="NO"
#sendmail_submit_enable="NO"
#sendmail_outbound_enable="NO"
#sendmail_msp_queue_enable="NO"

# - Postfix MTA
postfix_enable="YES"

# - Dovecot
dovecot_enable="YES"
```

I still have the same issue, thanks for the help so far.


Regards,
Michael


----------



## SirDice (Feb 22, 2010)

Ok. What happens when you do `# /etc/rc.d/pf start`?


----------



## hiatek (Feb 22, 2010)

After I have manually disabled and enabled using the command mentioned earlier:


```
freebsd# /etc/rc.d/pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
.
freebsd#
```

If I reboot and run *# /etc/rc.d/pf start*
I receive the same output

It does have the end result of loading the rules (when I test using grc.com shields up, the expected ports are stealthed and defined ports are unblocked).

I guess its a matter of doing this at boot, which has got me miffed why its failing now.


----------



## sniper007 (Feb 22, 2010)

Probably is problem PPPoE connection, because pf rules is load before PPPoE establish connection. 

Try to add this line to* /etc/rc.local* 



> pfctl -f /etc/pf.conf


----------



## hiatek (Feb 22, 2010)

So I comment out everything to do with pf in */etc/rc.conf* and create */etc/rc.local*?
It doesn't exist at the moment.

Does this shut things down correctly when using the shutdown command? 
I might be totally off track but is that what the rc.conf does?

Thanks again.

EDIT: I have tried commenting out pf related settings in /etc/rc.conf.
Created the /etc/rc.local
I then added the following line

```
pfctl -ef /etc/pf.conf
```
Just having
pfctl -f /etc/pf.conf
doesn't appear to work on the command line either so I added the -e also.

Sorry this doesn't seem to resolve my issue.


Regards,
Michael


----------



## sniper007 (Feb 22, 2010)

*rc.conf*

```
pf_enable="YES"        
pflog_enable="YES"
```

*
rc.local
*

```
pfctl -f /etc/pf.conf
```


----------



## hiatek (Feb 22, 2010)

It appears to be the same result as my previous posts edit. The rules dont appear to be loading.

It does appear to be starting as before though. If I attempt to manually start it, I'm told about No ALTQ support in kernel and pfctl: pf already enabled.

If I then manually disable and enable telling it my pf.conf location all is rosy (well except it auto loading the rules for me).


----------



## SirDice (Feb 22, 2010)

hiatek said:
			
		

> After I have manually disabled and enabled using the command mentioned earlier:
> 
> 
> ```
> ...



There's no error showing. There's only a message that there's no ALTQ support. This is normal if you use the pf module.


----------



## DutchDaemon (Feb 22, 2010)

If you're filtering on the ppp interface, do you have parentheses around that interface variable throughout your ruleset (pass in on ($ppp_if), etc.)?


----------



## PJF (Feb 22, 2010)

Does your pf rule set have any domain names in it?

I just had a similar issue where it would not load rules at boot time.
Turns out PF was trying to do DNS lookups on some domains I had in the rule set, but the network was not fully up yet.

I switched the domains to the IP's and now it loads fine at boot.


----------



## Ruler2112 (Feb 22, 2010)

I have a ppp connection and in /etc/ppp/ppp.linkup is:


```
papchap:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.rules
shell /etc/rc.d/named restart
```

Perhaps your firewall is loading the rules fine, but when the link comes up, it doesn't refresh them to reflect the new status of the virtual interface?


----------



## hiatek (Feb 22, 2010)

My */etc/pf.conf*

```
freebsd# cat /etc/pf.conf
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
# Revised by ... on 16/02/2010


# macros
ext_if="tun0"
int_if="nfe0"

win_host="192.168.0.5"

tcp_services="{ 22 }"
icmp_types="echoreq"

# tables
# ssh violations
table <ssh-violations> persist file "/etc/ssh-violations.txt"

#comp3="192.168.0.3"

# options
set block-policy drop
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# - Redirections
# - FTP proxy to local machine removed because ftp downloads would not work
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# - Squid Redirection
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# Bittorent virtual server/Port Forward
rdr on $ext_if proto tcp from any to ($ext_if) port 6881 -> 192.168.0.100 port 6881
# - Windows Server pptp VPN redirect
rdr pass on $ext_if inet proto gre from any to $ext_if -> $win_host
rdr pass on $ext_if inet proto tcp from any to $ext_if port 1723 -> $win_host

# filter rules
block in all
pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# Mail Filter
pass in on $ext_if proto tcp from any to any port 25 flags S/SA

# Bittorent Filter
pass in quick on $ext_if proto tcp from any to 192.168.0.100 port 6881
# Squid Filters
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
        pass out on $ext_if inet proto tcp from any to any port www keep state
#pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
#    synproxy state

# Windows pptp VPN Server Filter
pass out quick on $int_if inet proto gre from any to $win_host keep state
pass out quick on $int_if inet proto tcp from any to $win_host port 1723 flags S/SA keep state

# Allow ping
pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state

#Block hosts discovered as SSH violations
block drop in quick from <ssh-violations> to any
freebsd#
```


----------



## aragon (Feb 23, 2010)

PF is probably starting before ppp, so tun0 doesn't exist yet.  You need to follow Ruler2112's advice I suspect...


----------



## hiatek (Feb 23, 2010)

I dont appear to have a */etc/ppp/ppp.linkup*
I do have a */etc/ppp/ppp.conf*

Can I make said changes to this file?


Regards,
Michael


----------



## aragon (Feb 23, 2010)

No, you need to create a /etc/ppp/ppp.linkup.  You probably want a /etc/ppp/ppp.linkdown too, that does the opposite of linkup.


----------



## hiatek (Feb 23, 2010)

So I create the file and then put the contents in the file and thats it? 
Do I need to reference it from anywhere else, like /etc/rc.conf?

EDIT:
I have attempted to create the file */etc/ppp/ppp.linkup*, put the contents in

```
papchap:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
shell /etc/rc.d/named restart
```

I also tried changing *papchap:* to *internode:*.
I'm not sure if this has any relevance, neither works for me though. Rules still fail to load on reboot.


----------



## Ruler2112 (Feb 23, 2010)

The first line in ppp.linkup should reflect the configuration name in ppp.conf.  For example, my ppp.conf has in it:


```
papchap:
set authname blahblahblah
set authkey yakyakyak
.....
```

Here's an easy way to tell if it's working or not.  When you bounce your ppp connection, does named restart?  If not, there's something not working right in your ppp config.  (It's a PITA to get right the first time... whoever came up with PPPoE and virtual interfaces obviously never had to use them IRL!  Gimme a straight ethernet connection coming out of the modem device any day...)


----------



## hiatek (Feb 23, 2010)

Contents of */etc/ppp/ppp.linkup*

```
freebsd# cat /etc/ppp/ppp.linkup
internode:
shell /sbin/pfctl -d
shell /sbin/pfctl -e -f /etc/pf.conf
shell /etc/rc.d/named restart
```

Contents of */etc/ppp/ppp.conf*

```
freebsd# cat /etc/ppp/ppp.conf
#################################################################
# PPP  Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.11.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $
#################################################################

default:
        set log Phase tun command
        set ifaddr 10.0.0.1/0 10.0.0.2/0
=======
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)

 # Ensure that "device" references the correct serial port
 # for your modem. (cuau0 = COM1, cuau1 = COM2)
 #
 set device /dev/cuau1

 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
           \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 set timeout 180                        # 3 minute idle timer (the default)
 enable dns                             # request DNS info (for resolv.conf)

papchap:
 #
 # edit the next three lines and replace the items in caps with
 # the values which have been assigned by your ISP.
 #

 set phone PHONE_NUM
 set authname USERNAME
 set authkey PASSWORD

internode:
        set device PPPoE:rl0
        set authname USERNAME
        set authkey PASSWORD
        set dial
        set login
        add default HISADDR
        enable dns
freebsd#
```

I'm not sure what you mean by "bouncing my ppp connection" nor how I would go about that to answer your question.


Regards,
Michael


----------



## Ruler2112 (Feb 23, 2010)

[cmd=]/etc/rc.d/ppp stop[/cmd] will deactivate the connection and the commands in ppp.linkdown should run.  Similarly, [cmd=]/etc/rc.d/ppp start[/cmd] will start and connection/authentication, running the commands in ppp.linkup once the connection is fully active.  You can check your logs to see if named is restarting to verify if this mechanism is working correctly.

Your config looks OK to me, but I'm far from an expert.


----------



## hiatek (Feb 23, 2010)

```
freebsd# /etc/rc.d/ppp start
Starting PPP profile: internodeLoading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for tun0
/etc/pf.conf:44: could not parse host specification
no IP address found for tun0
/etc/pf.conf:45: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
freebsd#
```

Are those "=" (equals signs) meant to be there (in /etc/ppp/ppp.conf) I wonder?

EDIT:
I added a comment infront of the equals signs in /etc/ppp/ppp.conf

I now have the following in */var/log/messages*

```
freebsd# tail /var/log/messages
Feb 24 10:28:29 freebsd kernel: ifa_del_loopback_route: deletion failed
Feb 24 10:28:29 freebsd kernel: tun0: link state changed to DOWN
Feb 24 10:28:52 freebsd kernel: tun0: link state changed to UP
Feb 24 10:28:55 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: deflink: Reducing configured MRU from 1500 to 1492
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 3) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 4) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: Bad label in /etc/ppp/ppp.linkup (line 2) - missing colon
Feb 24 10:28:56 freebsd ppp[4376]: tun0: Warning: 0.0.0.0/0: Change route failed: errno: No such process
freebsd#
```

I think we may be getting closer to solving it, I have no idea what the correct syntax is for that file to know if I've bodged it though, any more clues?


----------



## Ruler2112 (Feb 24, 2010)

hiatek said:
			
		

> ```
> Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
> Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
> Warning: Bad label in /etc/ppp/ppp.conf (line 14) - missing colon
> ...



That right there is why it wasn't loading.  The = signs did indeed cause a problem with ppp.  Since ======= isn't a valid config parameter in ppp.conf, it thought it was a label (like internode or papchap), but since it was missing the colon at the end, didn't know what to do with it.  Because it was confused, ppp didn't assign an IP to the virtual interface.  Since there was no IP on the interface, pf couldn't determine what it was and refused to load the rule set.  You solved the problem on your own, but I thought you'd like to know what was going on.




			
				hiatek said:
			
		

> I now have the following in */var/log/messages*
> 
> ```
> freebsd# tail /var/log/messages
> ...



The 'change route failed' message looks exactly like what I get when my DSL connection authenticates.  (I've tried to find a reason the errors, but have not been able to; since it doesn't seem to cause problems, I've ignored it.)  It appears that your DSL connection is now working properly - we just have to chase down the problem in ppp.linkup.

Please post your current ppp.linkup file - ppp isn't running the commands (and loading your pf rules) because it doesn't recognize the configuration in there as valid config parameters and thinks the lines represent labels instead.


----------



## Ruler2112 (Feb 24, 2010)

I just remembered something that caught me when I first set up my DSL line.  The ppp.linkup file has the first line as the label, matching what is in ppp.conf for your connection.  The lines within that block *need* to have at least one space in front of them!  The file I posted above doesn't have them in; either the code tag doesn't support leading spaces or I removed them when I posted the file.  The latter is more likely, due to the fact that my emulator I admin my BSD box with doesn't add CRs at the end of each line and instead spits out one continuous line when I copy from it, spaces and all.  (I always have to remove the spaces from the output I post and add line breaks because of this.)


----------



## hiatek (Feb 25, 2010)

Thankyou so much,
I can now boot the machine and check with grc.com and my rules appear to be loading.
pfctl -sr seems to look correct also.

Other functions on the server appear to be unharmed also (well a really quick check anyway).

Do I require the name server part of /etc/ppp/ppp.linkup?
I guess it won't hurt to leave it anyway.

I don't have a corresponding opposite to ppp.linkup. Do I require one if I dont plan on halting the connection manually?


Thanks heaps for the help.


Regards,
Michael.


----------



## Ruler2112 (Feb 25, 2010)

hiatek said:
			
		

> Thankyou so much,
> I can now boot the machine and check with grc.com and my rules appear to be loading.
> pfctl -sr seems to look correct also.



Great!




			
				hiatek said:
			
		

> Do I require the name server part of /etc/ppp/ppp.linkup?
> I guess it won't hurt to leave it anyway.



Do you have a name assigned to your box that's resolvable from the internet or do you use your local box as a resolver?  If either is true, you should leave it.  If neither is true, you really shouldn't need it - try disabling it and test.




			
				hiatek said:
			
		

> I don't have a corresponding opposite to ppp.linkup. Do I require one if I dont plan on halting the connection manually?



Only if you want to load different firewall rules or execute other commands when your connection terminates.  You can write out to a log file, spit a message out to the screen, or anything that you can do from a prompt really using the [cmd=]shell[/cmd] command in the ppp.linkdown file.  I have the ppp.linkdown file on my system, but it's empty.


----------

