Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Dec 2014 10:55:58 +0000 (UTC)
From:      Laszlo Danielisz <laszlo.danielisz@yahoo.com>
To:        =?UTF-8?Q?Ask_Bj=C3=B8rn_Hansen?= <ask@develooper.com>,  "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: pfctl: DIOCADDRULE: Operation not supported by device
Message-ID:  <2145096021.191695.1418640958794.JavaMail.yahoo@jws106147.mail.bf1.yahoo.com>
In-Reply-To: <EE9008FF-6507-4796-B251-F599A04DAA10@develooper.com>
References:  <28FA3DD9-0B7D-4C41-831D-D12DCB4BAB69@develooper.com> <EE9008FF-6507-4796-B251-F599A04DAA10@develooper.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,
What do you mean be "clean rc.conf"?I'm facing this issue as well:=C2=A0pfc=
tl: DIOCGETRULES: Permission denied=C2=A0using 10.1-RELEASE
Thank you!
=20

     On Thursday, November 24, 2011 9:16 AM, Ask Bj=C3=B8rn Hansen <ask@dev=
elooper.com> wrote:
  =20

=20
On Nov 23, 2011, at 17:02, Ask Bj=C3=B8rn Hansen wrote:

> Hi everyone,
>=20
> After upgrading to 9.0 my NanoBSD images stopped supporting pf.=C2=A0 I g=
et errors like:
>=20
> pfctl: DIOCGETRULES: Permission denied
> pfctl: DIOCADDRULE: Operation not supported by device


Hmpfr - booting with a clean rc.conf (and a slightly newer build) it works =
fine.=C2=A0 I wonder if my /usr/src was out of date in some spectacular way=
 when I made the first build.


Ask_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

   
From owner-freebsd-pf@FreeBSD.ORG  Tue Dec 16 13:10:38 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 768C89A2
 for <freebsd-pf@freebsd.org>; Tue, 16 Dec 2014 13:10:38 +0000 (UTC)
Received: from pi.nmdps.net (pi.nmdps.net [IPv6:2a01:be00:10:201:0:80:0:1])
 by mx1.freebsd.org (Postfix) with ESMTP id 3CF981ECA
 for <freebsd-pf@freebsd.org>; Tue, 16 Dec 2014 13:10:37 +0000 (UTC)
Received: from pi.nmdps.net (pi.nmdps.net [109.61.102.5])
 (Authenticated sender: krichy@cflinux.hu)
 by pi.nmdps.net (Postfix) with ESMTPSA id 7C51E17DA
 for <freebsd-pf@freebsd.org>; Tue, 16 Dec 2014 14:10:28 +0100 (CET)
Date: Tue, 16 Dec 2014 14:10:28 +0100 (CET)
From: Richard Kojedzinszky <krichy@cflinux.hu>
X-X-Sender: krichy@pi.nmdps.net
To: freebsd-pf@freebsd.org
Subject: synproxy on out rule
Message-ID: <alpine.BSF.2.00.1412161407270.92974@pi.nmdps.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>;
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 13:10:38 -0000

Dear pf gurus,

I am going to setup a redundant pf+carp setup as described, and found that 
with my simple pf.conf the tcp sessions are not proxied well with pf. I am 
using bsd router project, which is freebsd based. My simple pf.conf:

---
scrub all

set skip on {lo0, re0}

#pass in quick on { re0 }

pass out quick proto {icmp, icmp6, ospf}

pass quick on { re2 } keep state (no-sync)

pass quick on { re1 } proto carp keep state (no-sync)

anchor out quick on { re1 } {
     pass quick proto tcp from any to any port {22, 5001} synproxy state
     block drop log
}
---

If i reorder the rules so that the synproxy state line matches on an "in" 
rule, proxying works, but for me it seems with "out" rules it does not.

Or I do something wrong.

It is 10.1-RELEASE.

Any advice?

Kojedzinszky Richard

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2145096021.191695.1418640958794.JavaMail.yahoo>