Date: Thu, 31 Mar 2005 10:37:04 -0700 From: Pat Maddox <pergesu@gmail.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Problem with PF Message-ID: <810a540e050331093741229857@mail.gmail.com> In-Reply-To: <810a540e05033109303d0d2ba4@mail.gmail.com> References: <810a540e05033019208b6f7b2@mail.gmail.com> <86ekdwhzta.fsf@amidala.datadok.no> <810a540e05033109303d0d2ba4@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, I grabbed pf.conf from the wrong machine. I basically just
copied the previous one, made the couple changes I needed. The real
difference is that there's no UDP in, and not as many TCP ins are
allowed:
# ------- pf.conf skeleton for server
#
# --------------- MACRO Section -----------------
EXT_IF="rl0"
PING = "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN = "{ ssh }"
#UDP_IN = "{ }"
# --- allowed services initiated by server
TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }"
UDP_OUT = "{ domain, ntp }"
# ------------------ TABLE Section --------------
# ------------------ OPTIONS Section
set loginterface $EXT_IF
# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)
# ---------- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
$PING keep state
# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# ----------------- end of pf.conf
On Thu, 31 Mar 2005 10:30:53 -0700, Pat Maddox <pergesu@gmail.com> wrote:
> FreeBSD 5.3-RELEASE-p5. I'm not sure how to check the pf version.
>
> I just started getting this error a couple days ago, and I've got
> absolutely no clue why. I don't recall making any significant changes
> to the box. Anyway, here's pf.conf:
>
> # ------- pf.conf skeleton for server
> #
> # --------------- MACRO Section -----------------
>
> EXT_IF="fxp0"
>
> PING = "echoreq"
>
> # --- allowed incoming services initiated by clients
>
> TCP_IN = "{ ssh, smtp, ftp, imap, http, 5001, 5002, 5003, 5004, 5005 }"
> UDP_IN = "{ domain }"
>
> # --- allowed services initiated by server
>
> TCP_OUT = "{ ssh, smtp, ftp, http, ntp, 5999 }"
> UDP_OUT = "{ domain, ntp }"
>
> # ------------------ TABLE Section --------------
>
> # ------------------ OPTIONS Section
> set loginterface $EXT_IF
>
> # --------- TRAFFIC NORMALIZATION ----------------
> scrub in all
> # ---------- TRANSLATION Section (NAT/RDR)
>
> # ---------- FILTER section
>
> # --- DEFAULT POLICY
> block log all
>
> # --- LOOPBACK
> pass quick on lo0 all
>
> # ======================= INCOMING ================
> # ----------- EXTERNAL INTERFACE
>
> # --- TCP
> pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
> $TCP_IN flags S/SA keep state
>
> # --- UDP
> pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
> $UDP_IN keep state
>
> # --- ICMP
> pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
> $PING keep state
>
> # ======================= OUTGOING ================
> # ----------- EXTERNAL INTERFACE
>
> # --- TCP
> pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
> $TCP_OUT flags S/SA keep state
>
> # --- UDP
> pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
> $UDP_OUT keep state
>
> # --- ICMP
> pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
> icmp-type $PING keep state
>
> # ----------------- end of pf.conf
>
>
> On Thu, 31 Mar 2005 12:31:13 +0200, Peter N. M. Hansteen
> <peter@bgnett.no> wrote:
> > Pat Maddox <pergesu@gmail.com> writes:
> >
> > > I'm trying to set up PF on a server, and when I run pfctl -nf
> > > /etc/pf.conf, I get the following error:
> > > pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor
> >
> > More info is required.
> >
> > Which FreeBSD and PF versions (not all permutations of pf and FreeBSD
> > will work, see the handbook), pf relevant rc.conf lines, your pf.conf,
> > ifconfig output
> >
> > > Google doesn't come up with anything, I've got no clue what that is. Any help?
> >
> > Check your ruleset for obvious errors, such as trying to address a
> > non-existent interface. Then again, this is guesswork based on very
> > little information.
> >
> > --
> > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
> > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> >
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e050331093741229857>