Date: Wed, 09 Jul 2008 20:29:21 +0200 From: Leslie Jensen <leslie@eskk.nu> To: freebsd-pf@freebsd.org Subject: New pf install on Freebsd7 seem to be a slow starter. Message-ID: <48750381.1030004@eskk.nu>
next in thread | raw e-mail | index | archive | help
Hello
When I boot the machine where pf is installed, every thing I can see
looks ok. It's hard to read the text scrolling on the screen and the
information concerning pf is not to be found in /var/log/messages.
Anyway I have one PC on the inside and it takes some time before it's
able to reach the outside world.
I can speed up the process by making a change to pf.conf and then use
the command pfctl -f /etc/pf.conf.
Another thing I see is that for example I add log (all) to one of my
filters and do pfctl -f /etc/pf.conf, then later I remove it again and
do pfctl -f /etc/pf.conf. The output from tcpdump -n -e -ttt -i pflog0
still shows packages as if it had not refreshed and still have the "log
(all)" active.
I know my problems is a little bit unclear but I hope someone will help
my solving this behaviour in the right way.
Thanks
/Leslie
----------- My pf.conf --------------------
# macros
int_if="xl0"
ext_if="bfe0"
tcp_services="{ 22 }"
tcp_priv_services="{ 389, 443 }"
icmp_types="echoreq"
# tables
table <goodguys> { something.somewhere.com, somethingelse.somewhere.com,
xxx.yyy.zzz.qqq }
# options
set block-policy return
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# filter rules
block in log (all) on $ext_if
pass out keep state
# Let the goodguys access the machine from the outside
pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \
port $tcp_services flags S/SA keep state
# ICMP traffic needs to be passed:
pass inet proto icmp all icmp-type $icmp_types keep state
# traffic must be passed to and from the internal network
pass in quick on $int_if
--------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48750381.1030004>