[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: Re: pf do not load on snapshot 20050106]

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: [Fwd: Re: pf do not load on snapshot 20050106]
From: Nick Holland <nick_(_at_)_holland-consulting_(_dot_)_net>
Date: Tue, 08 Feb 2005 15:46:04 -0500

oops.  shoulda gone to list...

Per Engelbrecht wrote:
...

> $ sudo pfctl -e
> $ sudo pfctl -f /etc/pf.conf
> $ sudo pfctl -s rules
> $
> 
> .. nothing happens. Really.

ok...  the -f can be silent if everything is good.
the -s rules can be silent (if nothing loaded).
the -e?  That should NEVER be "silent":

/usr/src $ pfctl -e
pfctl: /dev/pf: Permission denied

/usr/src $ sudo pfctl -e
pfctl: pf already enabled

/usr/src $ sudo pfctl -e
pfctl: pf already enabled

/usr/src $ sudo pfctl -d
pf disabled

/usr/src $ sudo pfctl -d
pfctl: pf not enabled

/usr/src $ sudo pfctl -e
pf enabled

-e and -d always give some kinda message.
SOMETHING ain't right.
Look at what you are running for pfctl -- "which pfctl" might be
interesting to make sure it really is what you think it is.

>> 
>> 
>>>A 'pfctl -s rules' does not give/say anything ??
>> 
>> 
>> if you haven't loaded the rules (as shown above), true.
>> 
>> If you are manually starting PF, it requires two steps, enabling and
>> loading.  Either can be done without the other.  Enable with no rules,
>> default "pass all" takes effect.  Load rules without enabling, you get
>> to see if your rules load nicely, but no action takes place.
> 
> Even without manual 'enable' and 'load', a reboot should still 'enable' 
> and 'load' according to /etc/rc.conf.local and /etc/pf.conf (normal 
> behavior) ... but it does not load anything.

well, that's assuming the upgrade went right.  Keep in mind, none of the
scripts in /etc are upgraded automatically -- if there is a change in
something that keeps pfctl from running and the new scripts aren't
copied in place, nothing good happens.

>> 
>> 
>>>Yes I've check net.inet.ip.forwarding=1 in /etc/sysctl.conf and pf=YES 
>>>in /etc/rc.conf.local and I have absolutly no warnings, errors or the 
>>>like, anywhere.
>> 
>> 
>> unfortunately, your statements below indicate to me you are looking in
>> the wrong places, so I'm not going to believe you yet.
>> 
>> 
>>>I've done this excersice a billion times before (another snap though) on 
>>>just as many boxes (almost) and without any problems.
>>>'dmesg' and 'dmesg.boot' are both happy campers, but without any 
>>>mentioning of pf notwhatsoever.
>>>
>>>Any ideas ?
>> 
>> 
>> Sounds like either a missunderstanding on your part or maybe an improper
>>  upgrade (i.e., didn't properly upgrade the /etc/ files).
> 
> I'll choose the latter. The working pf.conf was saved as pf.conf.LIVE 
> before upgrade and then renamed again after upgrade, back to pf.conf
> (owner/rights are root:wheel 600)

was this an UPGRADE or a REINSTALL?
(upgrade: boot media, choose upgrade, skip formatting disk, install
every set other than etc36.tgz.  (re)Install: boot media, chose install,
partition and format disk, install everything including etc36.tgz, etc.)

Reinstall and copy over your old pf.conf should work fine.
upgrade, you shouldn't need to copy over your old pf.conf

>> 
>> If you really believe it isn't that, provide a much better report, and
>> watch for messages during boot (these are never logged in dmesg).
> 
> I know this is little to 'work' on (sorry) but the servers and I are at 
> a different location when I first wrote and still are for that matter 
> i.e. I can't provide rc.conf.local / pf.conf / 'pfctl -s all' or 
> anything else. I took them down until solved to be on the safe side.
> 
> 'pf enabled' normally shows up on boot.
> On these two boxes it does not. This would normally tell me that pf=YES 
> in rc.conf.local was not set, but it is!

hm.  Scary.
That "pf enabled" message comes out of pfctl, not the rc scripts.

At this point, unless we are really misscommunicating somewhere along
the line, focus on that one problem..forget the rules not loading...pf
isn't even being enabled...and apparently, pfctl isn't working from a
command prompt either!

Verify that you are running /sbin/pfctl, that it has the right date, and
you aren't seeing core files lying around, and if so, I've gotta do a st
install of a snap.

> Besides my *dough*_I_should_be_more_detailed_when_posting_this, then 
> there's nothing on the system that indicates why.
> 
> I'll post rc.conf.local + pf.conf a.s.a.p
> what else would you like to see ?

As indicated, just just look at why pfctl is not working at all
(apparently).  AFTER THAT is resolved..then we can worry about the other
stuff. :)

Nick.

Prev by Date: PF rules and Config file
Next by Date: ppp fails to get default route on reconnect
Previous by thread: PF rules and Config file
Next by thread: ppp fails to get default route on reconnect
Index(es):
- Date
- Thread

Visit your host, monkey.org