From owner-freebsd-pf@FreeBSD.ORG Tue Jan 29 20:33:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5A8516A417 for ; Tue, 29 Jan 2008 20:33:23 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.177]) by mx1.freebsd.org (Postfix) with ESMTP id EB51113C447 for ; Tue, 29 Jan 2008 20:33:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: by el-out-1112.google.com with SMTP id r27so492947ele.3 for ; Tue, 29 Jan 2008 12:33:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; bh=kKBIBhZQGw1CCqIoDO0atIXZbAu5kMLoDJ54IQTOug8=; b=bZuEgCHidktPQk537fOi1FiY8x+t9EaSywTEF76Ox29qyg7CsxNJvse2PVaigIb9rGI2dnKd7NViQNn++swp9Le1/eq4077EYG69UUdqgdOP4Svgv6EsxCyx1Yckc8agTUiZkGvUTywILBeo1uT5xg3YW/TeAlDEueXPaiKDCEI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=vvZ6t2HZrDr7DM6g3po9HfaMkwajLkI1xW9SdtldSgsQqEHTOs8btGwoM9fEZHcA8Gc1YIGVavhyu1mKc8VofuNZhVBjpuhLwfehBT63uTi0srvOti/Obfp1vmWXUJs5JL0nZGMmpLj4ehz+CUgbuhlhLXkNCNxRoT/Wz7HAk7I= Received: by 10.143.33.19 with SMTP id l19mr728107wfj.85.1201637197306; Tue, 29 Jan 2008 12:06:37 -0800 (PST) Received: from xp ( [72.86.47.124]) by mx.google.com with ESMTPS id 7sm9603498wrl.33.2008.01.29.12.06.22 (version=SSLv3 cipher=RC4-MD5); Tue, 29 Jan 2008 12:06:23 -0800 (PST) Message-ID: <005e01c862b2$78a6d7c0$050a0a0a@chepkov.lan> From: "Vadym Chepkov" To: "Gavin Spomer" References: <479EF0A402000090000132D4@hermes.cwu.edu> Date: Tue, 29 Jan 2008 15:06:43 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jan 2008 20:33:23 -0000 Gavin, I have never had to do anything like this and nevertheless I have /dev/pf I have pf compiled into the kernel, so I wouldn't blame it on "must be module" either. Could you send me, please, the following files, I would really like to understand the problem - KERNEL config - /etc/make.conf - /etc/rc.conf - /etc/fstab - /boot/loader.conf Thanks Sincerely, Vadym Chepkov ----- Original Message ----- From: "Gavin Spomer" To: Sent: Tuesday, January 29, 2008 12:23 PM Subject: Re: How does /dev/pf get created? >>> David DeSimone 01/28/08 3:50 PM >>> Gavin Spomer wrote: > > Although it was new to me, a couple of quick glances at man pages and > experiments produced a /dev/pf for me. Can you tell us what it was that you changed? Someone else may need to know, someday. You're absolutely right. I guess I forgot my obligation in my excitement to go home yesterday. ;) Here's what I did: 1. cp /etc/defaults/devfs.rules /etc/ 2. chmod u+w /etc/devfs.rules 3. vi /etc/devfs.rules: Added "add path pf unhide" to the [devfsrules_unhide_basic=2] ruleset 4. vi /etc/devfs.conf: Added "own pf root:wheel" and "perm pf 0660". * 5. shutdown -r now * I don't know if my permissions/ownerships for /dev/pf are correct, but I looked at other devices and made a guess. Anyone know what they're supposed to be? Just noticed I don't have pflog or pfsync devices either, so I guess I'll create those too. > One thing I really dig so far about pf versus the firewall I use on my > SuSE machines (iptables), is that I don't have to reboot for changes > to take effect. Way happy about that! :) It has been a while since I worked with iptables, but I have NEVER had to reboot in order to make changes to it. That is just bizarre! I never took the time to actually write my own iptables rules, but SuSE has a built in mechanism that simplified it: SuSEfirewall2. Basically you just have a fairly simple config file to edit and SuSEconfig writes the rules for you. In the O-Reilly book Linux Server Security (2nd Edition), it says "... all you do is edit the file /etc/sysconfig/SUSEfirewall2 (in earlier versions of SUSE, /etc/rc.conf.d/firewall2.rc.config), run SUSEconfig, and reboot". So I've been doing it that way ever since. But after a quick Googling, it seems that maybe I don't have to reboot and can just run "/sbin/rcSuSEfirewall2 restart". Just an example of one of the times I wasn't very thorough in investigating something. ;) - Gavin _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"