Jason Dixon wrote: > Ok, this is an odd one. I just finished upgrading a firewall from 3.6 > to 3.7 -release using the tarballs. After completing everything as per > the upgrade guide, I noticed a syntax error reported by pfctl during > boot. However, I can login and enable PF manually without any errors. > "pfctl -nf" reports no syntax problems. Everything else works fine. > > I don't have a serial on this system yet, but I'll be going back next > Monday if this hasn't been resolved by then. Any ideas what might > cause pfctl to report an error at boot but not when run manually? It > almost sounds like one of the rc scripts is broken, but I copied over > all of the relevant scripts as per the FAQ > (http://www.openbsd.org/faq/upgrade37.html)
One obvious (i.e., I've made it :) error that will do as you describe is to filter using a name rather than an IP address, before DNS resolution is set up properly. No pf.conf file, so no idea if I'm barking up the right tree... Hmm. might be possible to do a typo in such a way that with DNS, it might resolve to an address, and without, it is an error. Probably wouldn't work as desired, but that may have been unnoticed. Or maybe I shouldn't speculate when over-tired. I presume you are not able to read the error message due to it scrolling off the screen? In addition to the "Syntax error" message, there should be a line number..that will tell all, I suspect. If that doesn't work, modifying the /etc/rc file to redirect stderr on the pfctl lines might tell something...check the modifcation date on it before editing, make sure it really got updated as you thought it was... Nick.
