# PF flags at boot time



## Seeker (Aug 7, 2009)

```
pf_enable="YES"
#Remove each blacklisted IP after 24 hours
pf_flags="-t ssh_bruteforcers -T expire 86400"
pflog_enable="YES"
```
in /etc/rc.conf
results in:

```
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
usage: pfctl [-AdeghmNnOqRrvz]
[-a anchor] [-D macro=value] [-F modifier]
        [-f file] [-i interface] [-K host | network]
[-k host | network ]
        [-o [level]] [-p device] [-s modifier ]
        [-t table -T command [address ...]] [-x level]
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
```
at the boot time, with *NO rules loaded* from: /etc/pf.conf
and NO logging occurs.

What am I doing wrong with pf_flags??
Now they are commented out and all is well.


----------



## DutchDaemon (Aug 7, 2009)

I guess those pf_flags take a limited set of flags, having to do with what to load (like: only the NAT rules) or what device to use (like the -p flag). The tables may not even be initialised by that time.

If you want to run that pfctl command at boot-time, put it in root's crontab at the '@reboot' time.


----------



## Seeker (Aug 7, 2009)

DutchDaemon said:
			
		

> I guess those pf_flags take a limited set of flags, having to do with what to load (like: only the NAT rules) or what device to use (like the -p flag). The tables may not even be initialised by that time.




```
pf_flags	 (str) If pf_enable is set to ``YES'', these flags are passed
		 to the pfctl(8) program when loading the ruleset.
```
This indicates that *all fags*, mentioned in _man page_, for pfctl command can be passed to it.

But why I couldn't then find, a special alert and list of allowed flags for _pf_flags_ in rc.conf??

That is a very strange!
Do you know where is that list? Link?



			
				DutchDaemon said:
			
		

> If you want to run that pfctl command at boot-time, put it in root's crontab at the '@reboot' time.



That shall be last solution if _pf_flags_ fail.


----------



## DutchDaemon (Aug 7, 2009)

If you look in the actual start-up file for pf (/etc/rc.d/pf) you will see that only a select set of flags is actually valid on the command line:

pf_program -f "$pf_rules" *$pf_flags*
which usually translates to
/sbin/pfctl -f /etc/pf.conf *-otherflags*

The *-t* flag is totally out of place there, so it throws an error.

In other words: only flags that make sense when loading the ruleset together with the *-f* flag (like -d, probably) are honoured here. 

I admit that the description in /etc/defaults/rc.conf leaves a lot to be desired.


----------



## Seeker (Aug 7, 2009)

Thanks for an explanation. 
I'll go for a cron's @reboot feature.



			
				DutchDaemon said:
			
		

> I admit that the description in /etc/defaults/rc.conf leaves a lot to be desired.



Well this is a security related software that is integrated in FB.
So this flaw can not be tolerated, as it can for ports, etc.

My firewall was down because of this for 18 hours.

Now I have a fun, breaking my head, is my system compromised or not.


----------

