From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 13:33:39 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05A2510E for ; Fri, 30 Nov 2012 13:33:39 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by mx1.freebsd.org (Postfix) with ESMTP id 7DD1A8FC1B for ; Fri, 30 Nov 2012 13:33:38 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id 12so219629wgh.31 for ; Fri, 30 Nov 2012 05:33:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=3/a3t7v8KadbLnFcrDfkXw40SQnkMaEdl3mUmhAeeAg=; b=fNj8vqwrtGpbJ08OYwnBKnKi0585Y13eFouX9vVhvFf9+IPokcwS0aElk9OlVAH7ex YV6Tc5ZlRcWLkhcz4KJ7rSKyqPWZ+aXuW1oGUs2RaCglxCjg3W81xSSKBQHak/03tqQ3 fIGdyOLy/w6OOVc/8n6FVBsNMveojzKN6kPbaOXTRlTEO3vpHYs1GAHESCVTbmnF0S2n daM33uekcOunfuy7bsi3AJw0Quu//15X+Dd6SNyv/eXGbBuX6bN5X7UZLYFvoLd/P04l QaEG10m3QWyrKoxf0ci74JHOWzOm53yvDjKgvQwgDdmEFTwy+SMczdowDPSwVSPJ5lcz PgSA== Received: by 10.180.88.138 with SMTP id bg10mr2101318wib.13.1354282417237; Fri, 30 Nov 2012 05:33:37 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id hv4sm15285832wib.0.2012.11.30.05.33.35 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 05:33:36 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: pfctl -s rules From: Fleuriot Damien In-Reply-To: Date: Fri, 30 Nov 2012 14:33:34 +0100 Message-Id: References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> To: Laszlo Danielisz X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQlyu/Z9k82bM8Gz4Idap6LkbwL0sc90QqszSAaCoDH0eK+L+pp7EOIWcQsDLHFR7c+ltxv1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 13:33:39 -0000 -P Enjoy. On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz = wrote: > Good idea, let me check. > One more think, while pfctl -vnf /etc/pf.conf how can I list the port = numbers instead of the protocol? >=20 > ex: > pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port = =3D ftp flags S/SA keep state >=20 > I want to see port =3D 21 instead of port =3D ftp >=20 > --=20 > Laszlo Danielisz > Sent with Sparrow >=20 > On 2012 November 30 Friday at 2:20 PM, Fleuriot Damien wrote: >=20 >> It likely tries to apply rules on an interface that doesn't exist yet = (for example openvpn's tun). >>=20 >> There's also the chance your rules contain a fully qualified domain = name, say example.com >> PF tries to load its rules, DNS resolution is not up yet, FQDN fails = to resolve to anything meaningful, rules fail to laod. >>=20 >> Review your rules for any non-physical interfaces (tun, gif) and = domain names. >>=20 >>=20 >> On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz = wrote: >>=20 >>> Thank you very much for your help! >>>=20 >>> pf is loaded to the kernel: >>> ktulu# kldstat|grep pf =20 >>> 38 1 0xc4b41000 3000 pflog.ko >>> 39 1 0xc4b44000 35000 pf.ko >>>=20 >>> and pfctl -vnf /etc/pf.conf did work, though I don't want to paste = here the whole result :) >>>=20 >>> Here is the output of grep >>>=20 >>> ktulu# grep pf /etc/rc.conf =20 >>> #pf >>> pf_enable=3D"YES" >>> pf_rules=3D"/etc/pf.conf" >>> pf_flags=3D"" >>> pflog_enable=3D"YES" >>> pflog_logfile=3D"/var/log/pflog" >>> pflog_flags=3D"" >>>=20 >>> I wonder why it doesn't start on boot time? >>> --=20 >>> Laszlo Danielisz >>> Sent with Sparrow >>>=20 >>> On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote: >>>=20 >>>> On 11/30/2012 10:23 AM, Fleuriot Damien wrote: >>>>> On Nov 30, 2012, at 1:20 PM, Tiago = Felipe wrote: >>>>>=20 >>>>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >>>>>>> On Nov 30, 2012, at 12:00 PM, Laszlo = Danielisz wrote: >>>>>>>=20 >>>>>>>> Hi Everybody, >>>>>>>>=20 >>>>>>>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>>>>>>> Take a look what is happening: >>>>>>>>=20 >>>>>>>> ktulu# pfctl -s rules >>>>>>>> No ALTQ support in kernel >>>>>>>> ALTQ related functions disabled >>>>>>>> ktulu# pfctl -e >>>>>>>> No ALTQ support in kernel >>>>>>>> ALTQ related functions disabled >>>>>>>> pfctl: pf already enabled >>>>>>>>=20 >>>>>>>> ktulu# uname -a >>>>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD = 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Do you have any idea why I can not see them? >>>>>>>>=20 >>>>>>>> Thx! >>>>>>>> Laszlo >>>>>>>=20 >>>>>>> Actually, I believe you can see your rules, all the 0 of them. >>>>>>>=20 >>>>>>> Try pfctl -nf /etc/pf.conf >>>>>>>=20 >>>>>>> See if you have an error when loading the rules, that would = explain it all. >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> freebsd-pf@freebsd.org mailing list >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>>>> # pfctl -s all >>>>>>=20 >>>>>> the device is loaded? >>>>>>=20 >>>>>> # kldload pf.ko >>>>>>=20 >>>>>> or recompile the kernel >>>>>>=20 >>>>>> device pf >>>>>> device pflog >>>>>> device pfsync >>>>>>=20 >>>>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see = if change something. >>>>>>=20 >>>>>> sorry, my english sux. >>>>>>=20 >>>>>> -- >>>>>> Att, >>>>>> Tiago Felipe Gon=E7alves. >>>>>> Gerente de Infraestrutura de TI. >>>>>> +55 19 99196494 >>>>>=20 >>>>> His pfctl -si shows pf is enabled so either the module loaded = fine, or he has device pf in his kernel config. >>>>>=20 >>>>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf = /etc/pf.conf ;) >>>>>=20 >>>>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the = rules, the -n flag makes it only parse the rules and show errors. >>>> sorry for my failure with -n flag, i've seen mistakes on small >>>> things,not cost check =3D] >>>> but -nf will show errors, rc.conf will be useful and pfctl -s all, = give >>>> us a lot of info about. >>>>=20 >>>> -- >>>> Att, >>>> Tiago. >>>>=20 >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>=20 >>=20 >=20