From owner-freebsd-questions@FreeBSD.ORG Thu Mar 31 17:37:06 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5D1116A4DB for ; Thu, 31 Mar 2005 17:37:06 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DB5443D55 for ; Thu, 31 Mar 2005 17:37:05 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so605105wri for ; Thu, 31 Mar 2005 09:37:05 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=o6HiHW25OexPRh4oeZzRQ9GoyqbZpMvsQh5N1YrYk5Is6HCeJZ0i4vlu7zjvdNclxIaHYGVONu9F9vYyomAOyWaydnwsnj6EfZnlGsQ4vWTUn9B07PNAThIt+ji2J3mtuv+2Ng2wsJixnNyKqEFTk105Ugdw9nWJ3LNtZSv9CIk= Received: by 10.54.42.65 with SMTP id p65mr99724wrp; Thu, 31 Mar 2005 09:37:05 -0800 (PST) Received: by 10.54.42.28 with HTTP; Thu, 31 Mar 2005 09:37:04 -0800 (PST) Message-ID: <810a540e050331093741229857@mail.gmail.com> Date: Thu, 31 Mar 2005 10:37:04 -0700 From: Pat Maddox To: FreeBSD Questions In-Reply-To: <810a540e05033109303d0d2ba4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <810a540e05033019208b6f7b2@mail.gmail.com> <86ekdwhzta.fsf@amidala.datadok.no> <810a540e05033109303d0d2ba4@mail.gmail.com> Subject: Re: Problem with PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 17:37:07 -0000 Sorry, I grabbed pf.conf from the wrong machine. I basically just copied the previous one, made the couple changes I needed. The real difference is that there's no UDP in, and not as many TCP ins are allowed: # ------- pf.conf skeleton for server # # --------------- MACRO Section ----------------- EXT_IF="rl0" PING = "echoreq" # --- allowed incoming services initiated by clients TCP_IN = "{ ssh }" #UDP_IN = "{ }" # --- allowed services initiated by server TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }" UDP_OUT = "{ domain, ntp }" # ------------------ TABLE Section -------------- # ------------------ OPTIONS Section set loginterface $EXT_IF # --------- TRAFFIC NORMALIZATION ---------------- scrub in all # ---------- TRANSLATION Section (NAT/RDR) # ---------- FILTER section # --- DEFAULT POLICY block log all # --- LOOPBACK pass quick on lo0 all # ======================= INCOMING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port $TCP_IN flags S/SA keep state # --- UDP #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port $UDP_IN keep state # --- ICMP pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type $PING keep state # ======================= OUTGOING ================ # ----------- EXTERNAL INTERFACE # --- TCP pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port $TCP_OUT flags S/SA keep state # --- UDP pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port $UDP_OUT keep state # --- ICMP pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any icmp-type $PING keep state # ----------------- end of pf.conf On Thu, 31 Mar 2005 10:30:53 -0700, Pat Maddox wrote: > FreeBSD 5.3-RELEASE-p5. I'm not sure how to check the pf version. > > I just started getting this error a couple days ago, and I've got > absolutely no clue why. I don't recall making any significant changes > to the box. Anyway, here's pf.conf: > > # ------- pf.conf skeleton for server > # > # --------------- MACRO Section ----------------- > > EXT_IF="fxp0" > > PING = "echoreq" > > # --- allowed incoming services initiated by clients > > TCP_IN = "{ ssh, smtp, ftp, imap, http, 5001, 5002, 5003, 5004, 5005 }" > UDP_IN = "{ domain }" > > # --- allowed services initiated by server > > TCP_OUT = "{ ssh, smtp, ftp, http, ntp, 5999 }" > UDP_OUT = "{ domain, ntp }" > > # ------------------ TABLE Section -------------- > > # ------------------ OPTIONS Section > set loginterface $EXT_IF > > # --------- TRAFFIC NORMALIZATION ---------------- > scrub in all > # ---------- TRANSLATION Section (NAT/RDR) > > # ---------- FILTER section > > # --- DEFAULT POLICY > block log all > > # --- LOOPBACK > pass quick on lo0 all > > # ======================= INCOMING ================ > # ----------- EXTERNAL INTERFACE > > # --- TCP > pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port > $TCP_IN flags S/SA keep state > > # --- UDP > pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port > $UDP_IN keep state > > # --- ICMP > pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type > $PING keep state > > # ======================= OUTGOING ================ > # ----------- EXTERNAL INTERFACE > > # --- TCP > pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port > $TCP_OUT flags S/SA keep state > > # --- UDP > pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port > $UDP_OUT keep state > > # --- ICMP > pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any > icmp-type $PING keep state > > # ----------------- end of pf.conf > > > On Thu, 31 Mar 2005 12:31:13 +0200, Peter N. M. Hansteen > wrote: > > Pat Maddox writes: > > > > > I'm trying to set up PF on a server, and when I run pfctl -nf > > > /etc/pf.conf, I get the following error: > > > pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor > > > > More info is required. > > > > Which FreeBSD and PF versions (not all permutations of pf and FreeBSD > > will work, see the handbook), pf relevant rc.conf lines, your pf.conf, > > ifconfig output > > > > > Google doesn't come up with anything, I've got no clue what that is. Any help? > > > > Check your ruleset for obvious errors, such as trying to address a > > non-existent interface. Then again, this is guesswork based on very > > little information. > > > > -- > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ > > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > >