I'm using kernel pppoe for my internet interface and my pf.conf contains the rules for the pppoe0 interface (amongst others), however on boot this ruleset is not loaded and a very restrictive default set is loaded instead:
Code:
FILTER RULES:
block drop all
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto udp from any to any port = 53
pass out inet proto icmp all icmp-type echoreq
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in proto tcp from any to any port = 22 flags S/SA
pass on lo0 all flags S/SA
pass proto carp all keep state (no-sync)
No queue in use
The ppp interface comes up correctly at boot but I need to reload the rules manually from pf.conf to get things working - I assume my ruleset is not getting loaded as pf is started before the ppp interface is up and contains invalid rules at this point.
My questions are:
1) Is it possible to see the pf errors on boot, there seems to be nothing in the logs or console about pf not loading correctly.
2) Is it possible to change the default rules or would I need to define a restricted pf.conf and then load the full 'ppp' pf.conf once the interface is up? If so how would you recommend I load the rules once the interface is up - ifstated maybe?
Kernel pppoe to ISP seems like a common enough scenario but I can't find other reports of similar issues.
OpenBSD 5.2 GENERIC#278 i386