From nobody@FreeBSD.org  Thu Aug  7 19:41:01 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7609D1065679
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  7 Aug 2008 19:41:01 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 63BAF8FC12
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  7 Aug 2008 19:41:01 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m77Jf1pR028965
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 7 Aug 2008 19:41:01 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m77Jf19D028964;
	Thu, 7 Aug 2008 19:41:01 GMT
	(envelope-from nobody)
Message-Id: <200808071941.m77Jf19D028964@www.freebsd.org>
Date: Thu, 7 Aug 2008 19:41:01 GMT
From: Axel Scheepers <axel@axel.truedestiny.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: PF ruleset doesn't load when it needs to resolve things
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         126348
>Category:       conf
>Synopsis:       [pf] PF ruleset doesn't load when it needs to resolve things
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gavin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 07 19:50:00 UTC 2008
>Closed-Date:    Tue Aug 12 14:12:57 UTC 2008
>Last-Modified:  Tue Aug 12 14:12:57 UTC 2008
>Originator:     Axel Scheepers
>Release:        7.0-STABLE
>Organization:
Claranet Benelux BV
>Environment:
FreeBSD taliesin.thuis.net 7.0-STABLE FreeBSD 7.0-STABLE #1: Thu Aug  7 21:27:44 CEST 2008     axel@taliesin.thuis.net:/usr/obj/usr/src/sys/TALIESIN  i386

>Description:
I recently cleaned up my pf.conf and changed a rule to use a dns name instead of an ip address, whenever I rebooted pf was enabled but had an empty ruleset.

>How-To-Repeat:
It should be enough to add a rule with a fqdn and reboot the machine.
>Fix:
Make the rc script order load bind earlier than pf?

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Thu Aug 7 20:09:23 UTC 2008 
State-Changed-Why:  
To submitter: Does adding an entry in /etc/hosts for the fqdn 
work as expected? 

With firewalls, there is always a problem as to what order things 
should be brought up.  Idealy the firewall should be up before 
any interfaces have been assigned IP addresses, otherwise there 
is a window where the machine is on the network but is unprotected. 
Obviously, however, this means the machine cannot resolve hostnames 
during boot unless they are in /etc/hosts. 


Responsible-Changed-From-To: freebsd-bugs->gavin 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Thu Aug 7 20:09:23 UTC 2008 
Responsible-Changed-Why:  
Track 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126348 

From: Gavin Atkinson <gavin@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/126348: PF ruleset doesn't load when it needs to resolve
	things
Date: Mon, 11 Aug 2008 14:52:50 +0100

 -------- Forwarded Message --------
 From: Axel Scheepers <axel@axel.truedestiny.net>
 To: gavin@FreeBSD.org
 Cc: freebsd-bugs@FreeBSD.org
 Date: Mon, 11 Aug 2008 10:57:13 +0200
 
 gavin@FreeBSD.org wrote:
 > To submitter: Does adding an entry in /etc/hosts for the fqdn
 > work as expected?
 >
 > With firewalls, there is always a problem as to what order things
 > should be brought up.  Idealy the firewall should be up before
 > any interfaces have been assigned IP addresses, otherwise there
 > is a window where the machine is on the network but is unprotected.
 > Obviously, however, this means the machine cannot resolve hostnames
 > during boot unless they are in /etc/hosts.
 >   
 Hello,
 
 
 I've just added the entry to /etc/hosts and can confirm it works.
 
 
 Kind regards,
 
 Axel Scheepers
State-Changed-From-To: feedback->closed 
State-Changed-By: remko 
State-Changed-When: Tue Aug 12 14:12:56 UTC 2008 
State-Changed-Why:  
This is not something that should be in a PR ticket. Packet filters 
should be running as soon as the network is available and not a second 
later. If you want to do DNS resolving through PF then you can locally 
modify the startup scripts to make sure that your DNS is started before 
PF. Do note that this is at your own risk. the default is to protect you 
as soon as possible. eventhough tis should not be a PR, thanks for 
taking the time to report this and for using FreeBSD, it's appreciated! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126348 
>Unformatted:
