I was just following the docs on netbsd.org.  :)
http://www.netbsd.org/Documentation/network/pf.html

The BEFORENET thing seems to have done the trick.  (I'm using one-big
/, so all of those other problems don't affect me.)

Should I keep pf_boot=3DYES in rc.conf as well?

On 2/14/06, Peter Postma <peter@pointless.nl> wrote:
> Jeremy C. Reed wrote:
> > On Mon, 13 Feb 2006, matthew sporleder wrote:
> >
> >>> What does your /etc/lkm.conf contain?
> >> /usr/lkm/pf.o   -               -               -               -
> >>          AFTERMOUNT
> >
> >
> > That appears to be part of the problem.
> >
> > AFTERMOUNT is done by lkm3 rc.d script and is after pf.
> >
>
> Indeed, this is a problem.
>
> Matthew, can you try replacing AFTERMOUNT with BEFORENET ?
> That should solve your problem. This will not work when /usr is mounted
> via the network, but I can't think of a better solution now.
>
> > The kernel modules are on /usr which is not loaded until the networking=
 is
> > all started up. But pf is ordered before the networking.
> >
> > current-users: Why are the kernel modules located in /usr? It seems lik=
e
> > /lkm would be better. (Disk space issue?)
> >
>
> Good question. AFAIK FreeBSD has the modules also in the root file
> system (i believe is was /modules). Maybe we should do this too.
>
> Peter Postma
>