From owner-freebsd-pf@FreeBSD.ORG Thu Mar 31 23:42:02 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCF7D16A4CE for ; Thu, 31 Mar 2005 23:42:01 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C5F743D1D for ; Thu, 31 Mar 2005 23:42:01 +0000 (GMT) (envelope-from pergesu@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so709962wri for ; Thu, 31 Mar 2005 15:42:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=B1WNQQjWQ/OwWBlI0tjQH+OctT7JJn23lscRCFRahcrp8YH3eJLNoEouo6cvxTtVKPHz5ehLfmVVcS/WfR1ShgMk0vVyaMA6c024WuTJzuzWaVdD6XNHdCJarM2i01ri9yQ2FHnC7C3kRXpI4K/+UyoMGmkUHLZArsvDZZRW8Gg= Received: by 10.54.89.14 with SMTP id m14mr409289wrb; Thu, 31 Mar 2005 15:41:37 -0800 (PST) Received: by 10.54.42.28 with HTTP; Thu, 31 Mar 2005 15:41:37 -0800 (PST) Message-ID: <810a540e050331154129ebc703@mail.gmail.com> Date: Thu, 31 Mar 2005 16:41:37 -0700 From: Pat Maddox To: freebsd-pf@freebsd.org In-Reply-To: <810a540e0503311454589ae1cc@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit References: <810a540e0503311454589ae1cc@mail.gmail.com> Subject: Re: Problem with PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Pat Maddox List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 23:42:02 -0000 It looks like the error happens as soon as I reference an interface. Even if I just make my config file: pass quick on lo0 all I get the error. So something's messed up...I've just got no idea what. Here are the results of ifconfig, to hopefully provide some more info: rl0: flags=8843 mtu 1500 options=8 inet 69.61.54.162 netmask 0xfffffff8 broadcast 69.61.54.167 inet6 fe80::20c:6eff:fe44:4391%rl0 prefixlen 64 scopeid 0x1 ether 00:0c:6e:44:43:91 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 On Thu, 31 Mar 2005 15:54:22 -0700, Pat Maddox wrote: > I just got a new server with FreeBSD 5.3 installed, tried to set up > PF, and am getting an error when I try to parse the file. I updated > to patch release 6, hoping that might solve things, but I still get > the error. Here's the error itself: > > pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor > > And now for pf.conf: > > # ------- pf.conf skeleton for server > # > # --------------- MACRO Section ----------------- > > EXT_IF="rl0" > > PING = "echoreq" > > # --- allowed incoming services initiated by clients > > TCP_IN = "{ ssh }" > #UDP_IN = "{ }" > > # --- allowed services initiated by server > > TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }" > UDP_OUT = "{ domain, ntp }" > > # ------------------ TABLE Section -------------- > > # ------------------ OPTIONS Section > set loginterface $EXT_IF > > # --------- TRAFFIC NORMALIZATION ---------------- > scrub in all > # ---------- TRANSLATION Section (NAT/RDR) > > # ---------- FILTER section > > # --- DEFAULT POLICY > block log all > > # --- LOOPBACK > pass quick on lo0 all > > # ======================= INCOMING ================ > # ----------- EXTERNAL INTERFACE > > # --- TCP > pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port > $TCP_IN flags S/SA keep state > > # --- UDP > #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port > $UDP_IN keep state > > # --- ICMP > pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type > $PING keep state > > # ======================= OUTGOING ================ > # ----------- EXTERNAL INTERFACE > > # --- TCP > pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port > $TCP_OUT flags S/SA keep state > > # --- UDP > pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port > $UDP_OUT keep state > > # --- ICMP > pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any > icmp-type $PING keep state > > # ----------------- end of pf.conf >