Date: Fri, 30 Nov 2012 14:20:35 +0100 From: Fleuriot Damien <ml@my.gd> To: Laszlo Danielisz <laszlo_danielisz@yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: pfctl -s rules Message-ID: <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> In-Reply-To: <983A61AAA3A744F78601A2488F54CF85@yahoo.com> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <FE4E0127-F5A8-49C4-9BE3-814DAC35329A@my.gd> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It likely tries to apply rules on an interface that doesn't exist yet = (for example openvpn's tun). There's also the chance your rules contain a fully qualified domain = name, say example.com PF tries to load its rules, DNS resolution is not up yet, FQDN fails to = resolve to anything meaningful, rules fail to laod. Review your rules for any non-physical interfaces (tun, gif) and domain = names. On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz = <laszlo_danielisz@yahoo.com> wrote: > Thank you very much for your help! >=20 > pf is loaded to the kernel: > ktulu# kldstat|grep pf =20 > 38 1 0xc4b41000 3000 pflog.ko > 39 1 0xc4b44000 35000 pf.ko >=20 > and pfctl -vnf /etc/pf.conf did work, though I don't want to paste = here the whole result :) >=20 > Here is the output of grep >=20 > ktulu# grep pf /etc/rc.conf =20 > #pf > pf_enable=3D"YES" > pf_rules=3D"/etc/pf.conf" > pf_flags=3D"" > pflog_enable=3D"YES" > pflog_logfile=3D"/var/log/pflog" > pflog_flags=3D"" >=20 > I wonder why it doesn't start on boot time? > --=20 > Laszlo Danielisz > Sent with Sparrow >=20 > On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote: >=20 >> On 11/30/2012 10:23 AM, Fleuriot Damien wrote: >>> On Nov 30, 2012, at 1:20 PM, Tiago Felipe<tfgoncalves@yahoo.com.br> = wrote: >>>=20 >>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >>>>> On Nov 30, 2012, at 12:00 PM, Laszlo = Danielisz<laszlo_danielisz@yahoo.com> wrote: >>>>>=20 >>>>>> Hi Everybody, >>>>>>=20 >>>>>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>>>>> Take a look what is happening: >>>>>>=20 >>>>>> ktulu# pfctl -s rules >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> ktulu# pfctl -e >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> pfctl: pf already enabled >>>>>>=20 >>>>>> ktulu# uname -a >>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 = #0: Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> Do you have any idea why I can not see them? >>>>>>=20 >>>>>> Thx! >>>>>> Laszlo >>>>>=20 >>>>> Actually, I believe you can see your rules, all the 0 of them. >>>>>=20 >>>>> Try pfctl -nf /etc/pf.conf >>>>>=20 >>>>> See if you have an error when loading the rules, that would = explain it all. >>>>>=20 >>>>> _______________________________________________ >>>>> freebsd-pf@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>> # pfctl -s all >>>>=20 >>>> the device is loaded? >>>>=20 >>>> # kldload pf.ko >>>>=20 >>>> or recompile the kernel >>>>=20 >>>> device pf >>>> device pflog >>>> device pfsync >>>>=20 >>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see = if change something. >>>>=20 >>>> sorry, my english sux. >>>>=20 >>>> -- >>>> Att, >>>> Tiago Felipe Gon=E7alves. >>>> Gerente de Infraestrutura de TI. >>>> +55 19 99196494 >>>=20 >>> His pfctl -si shows pf is enabled so either the module loaded fine, = or he has device pf in his kernel config. >>>=20 >>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf = /etc/pf.conf ;) >>>=20 >>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the = rules, the -n flag makes it only parse the rules and show errors. >> sorry for my failure with -n flag, i've seen mistakes on small >> things,not cost check =3D] >> but -nf will show errors, rc.conf will be useful and pfctl -s all, = give >> us a lot of info about. >>=20 >> -- >> Att, >> Tiago. >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02387299-5EC3-47B7-B1CA-27F36A947D85>