PF Why my pf would not load on boot

[Eric A. Borisch]

Total head-smacker, but for posterity (and for the next poor sap googling "pf won't start at boot")

Do not use hostnames in your pf.conf or any tables loaded by your configuration. While it is not invalid, and will work just fine with a pfctl -nf /etc/pf.conf check of the syntax or a pfctl -f /etc/pf.conf reload of the rules, it will fail hard at boot (since name resolution isn't available yet) and completely abort loading any rules.

Worse yet, the failure announcement only appears (at least on my setup) on the console, and never makes it into any logs.

 

[kpa]

Replicate the host names that you use in your rules to /etc/hosts and your rules will load on boot. You then have a minor inconvinience to update /etc/hosts when you change your local IPs but that's not a big deal.

 

[VladiBG]

What's the point to write a static hosts when you can just add the same ip addresses in the pf.conf ?

There's several other forum threads about that:
https://forums.freebsd.org/threads/pf-and-name-resolving.15660/

In short you can reload your pf after your dns can be reached and it will load the rules.

 

[Eric A. Borisch]

Replicate the host names that you use in your rules to /etc/hosts and your rules will load on boot. You then have a minor inconvinience to update /etc/hosts when you change your local IPs but that's not a big deal.

Absolutely that’s a way to fix it; I was just recording for others a frustating failure mode. Since no errors were recorded in /var/log/messages (or dmesg) and reloading it (after boot) works fine, you’re left pulling your (nonexistent for me) hair out trying to figure out why it won’t start at boot.

 

[`Orum]

What I do to "solve" the problem is load 3 different rulesets, in order. First I load one ruleset that has no hostnames whatsoever in it, but gets the basics up and running and at least ensures that it's not lacking a firewall if nothing else loads. Then I load a ruleset that includes hosts that can be answered by DNS on the local network. Finally I try and load a ruleset that requires Internet DNS resolution. If any one of them fails to load, you just have the next-highest ruleset already loaded.

Of course to do this you need to write your own rc.d script, heavily edit the base one, or just use rc.local (which is what I do, especially since some times local DNS is running on the machine trying to load the rules; see this post).

Edit: One could also add a forth stage, using only names resolvable by the /etc/hosts file, and put that between the first and second rulesets, but I don't use the hosts file for anything other than localhost. In general I think the practice of adding other hosts to it should be discouraged.