From owner-freebsd-pf@FreeBSD.ORG Sun Nov 25 12:20:35 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91BE7E3B for ; Sun, 25 Nov 2012 12:20:35 +0000 (UTC) (envelope-from rush.ru@gmail.com) Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com [209.85.220.54]) by mx1.freebsd.org (Postfix) with ESMTP id 630918FC15 for ; Sun, 25 Nov 2012 12:20:35 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id bi5so1721202pad.13 for ; Sun, 25 Nov 2012 04:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=prupntwaGKTlD2azFqKkJ1HDUUW3pjiBlwVMHxb8tCQ=; b=XUQ1IJh0ILxGX6SmmHvs+eDy+YQv3QzWNKYIBIgfZYT3izrZagDGQgMnCM6D2qn4Jh oKrOzztTD148u/o9DARSmwsYUHVs/h7x6kMIxX1N8PacK4yAdSPlkPaPZbkbKcxZIpIQ f4vddm/sjJoycwDKh2id2ltBvAxrGUejnsInsy1x3c+jY4bkVK5B4CttDmxX3Pn+eyG6 CDtIZDjKUEQB9ncglyhUUtJ3e+75sjbmatOoSfvL4xlir1xFiULhJpnSoZncPlBjHIu+ /RBStsrXJPr9tSHvJef1jbwKnylNZzlST3VFFvaFdfrEYmEKFvFOAYj7Uty8FTNd1XzR AU8w== MIME-Version: 1.0 Received: by 10.66.73.132 with SMTP id l4mr24595394pav.48.1353846034780; Sun, 25 Nov 2012 04:20:34 -0800 (PST) Received: by 10.68.81.9 with HTTP; Sun, 25 Nov 2012 04:20:34 -0800 (PST) Date: Sun, 25 Nov 2012 18:20:34 +0600 Message-ID: Subject: Problem with route-to option From: Shaymardanov Rushan To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2012 12:20:35 -0000 Hello. I have a problem using pf in Freebsd 9.0. I'm using frebsd box as gateway and I have 2 ISP. I'd like to route some clients via second provider and a'm using pf's route-to fuction for it: ( ... ) nat on ng0 inet from 172.18.100.254 to any -> xx.xx.xx.157 (...) pass in route-to (ng0 10.0.0.1) inet from 172.18.100.254 to any tag SUBS (...) Packets are routed correctly (via ng0), and nat works well, but IP checksum is bad and I don't receive any response: gw# tcpdump -i ng0 -s 0 -v -n icmp tcpdump: listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes 18:11:54.456027 IP (tos 0x0, ttl 128, id 218, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 9390 (->9093)!) xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 171, length 40 18:11:59.480968 IP (tos 0x0, ttl 128, id 219, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 9290 (->9092)!) xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 172, length 40 18:12:04.506907 IP (tos 0x0, ttl 128, id 220, offset 0, flags [none], proto ICMP (1), length 60, bad cksum 9190 (->9091)!) xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 173, length 40 Without route-to (if for example I change routing table for particular destination address), checksums are good and traffic passes correctly. Rushan Shaymardanov From owner-freebsd-pf@FreeBSD.ORG Mon Nov 26 11:06:49 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6AFC458B for ; Mon, 26 Nov 2012 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 504948FC17 for ; Mon, 26 Nov 2012 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qAQB6nCn019490 for ; Mon, 26 Nov 2012 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qAQB6mpt019488 for freebsd-pf@FreeBSD.org; Mon, 26 Nov 2012 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Nov 2012 11:06:48 GMT Message-Id: <201211261106.qAQB6mpt019488@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 48 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Nov 26 19:28:11 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BD9333E2 for ; Mon, 26 Nov 2012 19:28:11 +0000 (UTC) (envelope-from oerik2011gcarney@o2.pl) Received: from moh1-ve1.go2.pl (moh1-ve1.go2.pl [193.17.41.131]) by mx1.freebsd.org (Postfix) with ESMTP id 73EC68FC0C for ; Mon, 26 Nov 2012 19:28:11 +0000 (UTC) Received: from moh1-ve1.go2.pl (unknown [10.0.0.131]) by moh1-ve1.go2.pl (Postfix) with ESMTP id AB80B91C8F1; Mon, 26 Nov 2012 20:28:10 +0100 (CET) Received: from o2.pl (unknown [10.0.0.36]) by moh1-ve1.go2.pl (Postfix) with SMTP; Mon, 26 Nov 2012 20:28:10 +0100 (CET) Subject: =?UTF-8?Q?***?= From: =?UTF-8?Q?oerik2011gcarney?= To: alex200262@inbox.ru, freebsd-pf@freebsd.org, tycho@ele.uri.edu, printer@eecs.umich.edu Mime-Version: 1.0 Message-ID: <3feff2de.43f3fa30.50b3c2c9.9d9c2@o2.pl> Date: Mon, 26 Nov 2012 20:28:09 +0100 X-Originator: 217.115.137.222 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 19:28:11 -0000 i=20made=20the=20starbucks=20guy=20say=20large=20instead=20of=20venti=20I= =20HAVE=20ALREADY=20CONQUERED=20WEDNESDAY=20WHAT=20NOWhttp://ELISABETH.sh= 0rturl.ru/?name-DWIGHT From owner-freebsd-pf@FreeBSD.ORG Wed Nov 28 10:20:26 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 38429DE7 for ; Wed, 28 Nov 2012 10:20:26 +0000 (UTC) (envelope-from a.krivulya@compenta.com.ua) Received: from mail.lissoft.com.ua (mail.compenta.com.ua [217.76.201.83]) by mx1.freebsd.org (Postfix) with ESMTP id D333E8FC26 for ; Wed, 28 Nov 2012 10:20:24 +0000 (UTC) Received: from [10.1.1.131] (helo=thinkpad.it-profi.org.ua) by mail.lissoft.com.ua with esmtpa (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TdekZ-000DNr-8W for freebsd-pf@freebsd.org; Wed, 28 Nov 2012 12:20:15 +0200 Message-ID: <50B5E55F.9090702@compenta.com.ua> Date: Wed, 28 Nov 2012 12:20:15 +0200 From: Alexandr Krivulya User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:16.0) Gecko/20121030 Thunderbird/16.0.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: Problem with route-to option References: In-Reply-To: X-Enigmail-Version: 1.4.5 Content-Type: multipart/mixed; boundary="------------020701060208000909030100" X-SA-Exim-Connect-IP: 10.1.1.131 X-SA-Exim-Mail-From: a.krivulya@compenta.com.ua X-SA-Exim-Scanned: No (on mail.lissoft.com.ua); SAEximRunCond expanded to false X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2012 10:20:26 -0000 This is a multi-part message in MIME format. --------------020701060208000909030100 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 25.11.2012 14:20, Shaymardanov Rushan пишет: > Hello. I have a problem using pf in Freebsd 9.0. > I'm using frebsd box as gateway and I have 2 ISP. I'd like to route some > clients via second provider and a'm using pf's route-to fuction for it: > > ( ... ) > nat on ng0 inet from 172.18.100.254 to any -> xx.xx.xx.157 > (...) > pass in route-to (ng0 10.0.0.1) inet from 172.18.100.254 to any tag SUBS > (...) > > Packets are routed correctly (via ng0), and nat works well, but IP checksum > is bad and I don't receive any response: > > gw# tcpdump -i ng0 -s 0 -v -n icmp > tcpdump: listening on ng0, link-type NULL (BSD loopback), capture size > 65535 bytes > 18:11:54.456027 IP (tos 0x0, ttl 128, id 218, offset 0, flags [none], proto > ICMP (1), length 60, bad cksum 9390 (->9093)!) > xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 171, length 40 > 18:11:59.480968 IP (tos 0x0, ttl 128, id 219, offset 0, flags [none], proto > ICMP (1), length 60, bad cksum 9290 (->9092)!) > xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 172, length 40 > 18:12:04.506907 IP (tos 0x0, ttl 128, id 220, offset 0, flags [none], proto > ICMP (1), length 60, bad cksum 9190 (->9091)!) > xx.xx.xx.157 > 8.8.8.8: ICMP echo request, id 3993, seq 173, length 40 > > Without route-to (if for example I change routing table for particular > destination address), checksums are good and traffic passes correctly. > > > Rushan Shaymardanov > Hello! I have exactly same issue with pf-nat and outgoing traffic from ng-interfaces. With ipfw nat there is no problem. Problem exists on 9.0, 9.1-RC3 and stable. --------------020701060208000909030100-- From owner-freebsd-pf@FreeBSD.ORG Wed Nov 28 14:13:30 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0EF2014D for ; Wed, 28 Nov 2012 14:13:30 +0000 (UTC) (envelope-from buildit@nozukile.co.za) Received: from mta-teraco-2.cmobile.co.za (mta-teraco-2.cmobile.co.za [41.50.9.22]) by mx1.freebsd.org (Postfix) with ESMTP id 45AD88FC16 for ; Wed, 28 Nov 2012 14:13:28 +0000 (UTC) Received: from B10PC ([197.173.158.246]) by mta-teraco-2.cmobile.co.za (8.14.3/8.14.3) with SMTP id qASE8Cod018987 for ; Wed, 28 Nov 2012 16:08:16 +0200 Message-ID: <78AF5FBD32D74F589B1BE9606D4E62E8@B10PC> From: "Nozukile Build It" To: Subject: Drive A New Car from R499 P/M Date: Wed, 28 Nov 2012 16:08:11 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3555.308 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3555.308 X-MSISDN: 27742743675 X-CONN-IP: 197.173.158.246 X-Virus-Scanned: clamav-milter 0.97.6 at CellC-smtp-scanner-t2 X-Virus-Status: Clean Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2012 14:13:30 -0000 I am interested in buying a car please contact me on 0834440695 Thanx Wayne From owner-freebsd-pf@FreeBSD.ORG Thu Nov 29 11:04:21 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E53B92E for ; Thu, 29 Nov 2012 11:04:21 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 25DEC8FC0C for ; Thu, 29 Nov 2012 11:04:20 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id 12so2129199wgh.31 for ; Thu, 29 Nov 2012 03:04:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=FyMe2ZCFxMDLtW24X+RcqQU1ygqQAs24EaZtjilmt2o=; b=P848OR4Ffuj7pnVNDyDOvvXy0VKLqik6O5Jk0GSCYDddC5rueH23a00UguQMazcN3e OwZVeWhNGCIkbRPuhxmj0HxdQpm5xCg0UIAgZdPQB8HbvIrPW5BClTp6okpY7CaPwTrz J0rw+56vZe9XDUHzmcJGhJsBU15fjFpeJjxT6XBDvjbsenD8087TeiL/2vdF250KWO+1 qN4lNlJRvySSGpr75M6D3RpBX1r4U2Et0kqtCP8RYeN9V71oz5YS49eyImzpZiZTz0Ek 1HRPAP23GzWWcVe96liqdu0xaqTj4LLuGiYkIjhWWfqRblfyWQ9pROHN6skhFnUHLsLE T2xQ== Received: by 10.180.94.169 with SMTP id dd9mr37858406wib.14.1354187059256; Thu, 29 Nov 2012 03:04:19 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id p2sm1881377wic.7.2012.11.29.03.04.16 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 29 Nov 2012 03:04:18 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: Upgrading FreeBSD to use the NEW pf syntax. From: Fleuriot Damien In-Reply-To: Date: Thu, 29 Nov 2012 12:04:16 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <541D2C5C-F045-4CE2-B452-25B4CB65D4F3@my.gd> References: To: Odhiambo Washington X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQm0l9WnGlAdkuIt6ZjrcoziDhFI9EshQxLmBwiimGibtJzPygvZwc73ir5kX03DipoV4LdJ Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2012 11:04:21 -0000 On Nov 20, 2012, at 7:46 AM, Odhiambo Washington = wrote: > On Tue, Nov 20, 2012 at 5:23 AM, Paul Webster = > wrote: >=20 >> Good day all, >>=20 >> I am aware this is a much discussed subject since the upgrade of PF, = I >> believe the final decision was that to many users are used to the old >> style pf and an upgrade to the new syntax would cause to much = confusion. >>=20 >> There was a recent debate on ##freebsd about this issue and I was = inclined >> to mail in and get your opinions; basically it boiled down to the = majority >> of users wanting either: >>=20 >> 1) To move to the newer pf and just add to releases notes what had >> happened, >> and >> 2) my own personal opinion: creating 'pf2-*' as a kernel option tree, >> basically using the newer pf syntax and allowing users to choose. >>=20 >> I would be interested to know the feedback from you guys as to be = honest >> there seems to be quite a few users who actually DO want the new = style >> format and functionality that comes with. >>=20 >> I Attached the log of the conversation just for reference. >>=20 >>=20 > It's been difficult enough to maintain PF on FreeBSD because of the = time > needed to be invested in the FreeBSD port. > This situation remains to date, from what I understand. I guess = someone can > look at how many bugs/feature requests still remain open for PF on = FreeBSD. >=20 > I therefore feel that whoever wants to run PF should use a dedicated > OpenBSD box as a firewall/whatever they use PF for. > There is really no point trying to make FreeBSD be OpenBSD when it = comes to > such requirements. Look at the advantages of "separation of power" - = give > to OpenBSD the fireallpower and FreeBSD the serverpower. >=20 > In keeping with the K.I.S.S principle, please let anyone needing new = PF > syntax just use OpenBSD. >=20 I for one can't agree with this line of thinking. The *only* reason we use fbsd at work is as firewalls, which sometimes = also act as load balancers through the use of either relayd, nginx, = and/or haproxy. The "real" servers themselves run debian and are much easier and = convenient to upgrade. Following your logic, we'd ditch freebsd entirely, in my case ; way to = erode the userbase. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 11:00:53 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9D04EBBB for ; Fri, 30 Nov 2012 11:00:53 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm12.bullet.mail.ukl.yahoo.com (nm12.bullet.mail.ukl.yahoo.com [217.146.183.186]) by mx1.freebsd.org (Postfix) with ESMTP id E07708FC0C for ; Fri, 30 Nov 2012 11:00:52 +0000 (UTC) Received: from [217.146.183.216] by nm12.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 11:00:51 -0000 Received: from [217.146.182.73] by tm9.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 11:00:51 -0000 Received: from [127.0.0.1] by smtp119.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 11:00:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354273251; bh=CLMWyAVu+9IrZ82wJ9bfDmMc+0ONnw2Q4pMpSmu+9HU=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Message-ID:Subject:X-Mailer:MIME-Version:Content-Type; b=kiN72meFktKBpYKj418cIuqmjujte35VoClVuqrQcuZm+o8aXtitIHV2aih+C6EbApwcZUyNTeJZeiFi5MBkWmxwxdIqPlcwT6BQcIuUf6cF5zeKz85zTlEvjfyH5PaPGP2UkZG0YMFBLF9Ai7q9gt1sWSB4nCr1CC5376OqPJI= X-Yahoo-Newman-Id: 578931.70549.bm@smtp119.mail.ukl.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: oBFdw_0VM1m8kjMcl04GlLWoTGVLKZXQNPXYdMKwJJQ08rg N_YF1ssYpWHxYj2uzbt46yI2xF3LZTtoqOGYuO.UWK249HL8_MM2KRn2HVtm 7.G1XMy.GPkbf58jWcX.i02JKFqNiawxj7TGqv4r7pfX0ZZtq4v.kjMElx97 BBrvzg.mtSJTbSNshEwEcrjWT6_7.vsh2vdZwINLmEt6RUusfx3k3UT.Ayg2 ZPnlUMg58Wi17AkTUcEqHItJLUmQck1Pdg0pYWrNaWhIKhzodhirlDsaYHv9 l3jTM95pw9PHVnCa6q905h5XnNR85bnZvl.WXZpp5N19mnZIwOuAJfPhVZAa 0h8rkdyHPJaOfeGd1ZjkVW0pUnSvswkWg5MMjgz5lNZQjKvgXVgNrVP95cu6 mdfTCDZAfcZ_Jtf3353xujAd64EufkUf.I_ZUGhsWrAu6JpbScXQF1Rpr2Rf XSv1Cxa.i.BqCC5pGd5PGcRsjZUkjNQ5OxASZqULf6bFYts4_zxpyvhsg219 X9PSPGUnqiw-- X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [172.16.0.150] (laszlo_danielisz@62.77.229.168 with plain) by smtp119.mail.ukl.yahoo.com with SMTP; 30 Nov 2012 03:00:51 -0800 PST Date: Fri, 30 Nov 2012 12:00:50 +0100 From: Laszlo Danielisz To: freebsd-pf@freebsd.org Message-ID: <49BF4308335C496593D1D7C82391C805@yahoo.com> Subject: pfctl -s rules X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 11:00:53 -0000 Hi Everybody, Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled. Take a look what is happening: ktulu# pfctl -s rules No ALTQ support in kernel ALTQ related functions disabled ktulu# pfctl -e No ALTQ support in kernel ALTQ related functions disabled pfctl: pf already enabled ktulu# uname -a FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 Do you have any idea why I can not see them? Thx! Laszlo From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 11:02:16 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0FF21C1D for ; Fri, 30 Nov 2012 11:02:16 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by mx1.freebsd.org (Postfix) with ESMTP id 8635B8FC0C for ; Fri, 30 Nov 2012 11:02:15 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id 12so153643wgh.31 for ; Fri, 30 Nov 2012 03:02:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=DCMIR2ER6efAROcaXC0D3iDueip9RDeFuPUBNblQhOs=; b=EWQgToOX9DcFrRUth1f6UDXGOB6luaXJl9OivW7KLelJSPTgkdoC3f3XuO0icgDWRf VhVJOq+Qh9rdmjFjuNIcC3THXtlvJea+Z7qQhHCKL9M7GVijAx4LS7FSVgsjk3Uxix8A 4LDpdKbrwV7yFdP+85TDGJ7mEI+s1oC7GfvSSZRaYxHVr4verAJKzISQfJFOVLoUmelZ UU6QpbkLbdBIt/U/MECX75UHFZX/n//xe28ugSKVvy/IBkHKZQtU+ORvurgnpLVNS505 Rs3ZuKja5W8ozxmnMgosZaWgcYqxY0ydc7FKpHlgNYvSbNqUSVpRRJZlcaCWweS/MSed kTsA== Received: by 10.180.81.170 with SMTP id b10mr1382113wiy.16.1354273334226; Fri, 30 Nov 2012 03:02:14 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id d9sm15235122wiw.0.2012.11.30.03.02.12 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 03:02:13 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: pfctl -s rules From: Fleuriot Damien In-Reply-To: <49BF4308335C496593D1D7C82391C805@yahoo.com> Date: Fri, 30 Nov 2012 12:02:11 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <49BF4308335C496593D1D7C82391C805@yahoo.com> To: Laszlo Danielisz X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQnn0WpfDs6l9Ci42/mbJGA8l1p1udPoBWapIyvsPb4HAauHsqXYyIyJb6nxaNQHtrrqW6PG Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 11:02:16 -0000 On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz = wrote: > Hi Everybody, >=20 > Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled.=20 > Take a look what is happening: >=20 > ktulu# pfctl -s rules =20 > No ALTQ support in kernel > ALTQ related functions disabled > ktulu# pfctl -e > No ALTQ support in kernel > ALTQ related functions disabled > pfctl: pf already enabled >=20 > ktulu# uname -a > FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: = Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >=20 >=20 >=20 > Do you have any idea why I can not see them? >=20 > Thx! > Laszlo Actually, I believe you can see your rules, all the 0 of them. Try pfctl -nf /etc/pf.conf See if you have an error when loading the rules, that would explain it = all. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 12:07:02 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 883C586B for ; Fri, 30 Nov 2012 12:07:02 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm20.bullet.mail.ukl.yahoo.com (nm20.bullet.mail.ukl.yahoo.com [217.146.183.194]) by mx1.freebsd.org (Postfix) with ESMTP id D36FD8FC08 for ; Fri, 30 Nov 2012 12:07:01 +0000 (UTC) Received: from [217.12.10.89] by nm20.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 12:06:54 -0000 Received: from [77.238.184.73] by tm19.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 12:06:54 -0000 Received: from [127.0.0.1] by smtp142.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 12:06:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354277214; bh=OPXzrbZdWrWy6M6a/EEC1lFKY2m+ZbcCSzQale/D4mo=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject:X-Mailer:MIME-Version:Content-Type; b=Gub2Zn59OvTCj3bb4nJlsdvyR8yYnASM8eWrHyueZCHYNb87V1vNSYCF2lPLluarLZd9ZGv4rk3qffbpXaeIZ8L4yWyGSwjyrc8SgoN2E5XcxWrG2U3NOpeT6s1s0BjMzDfwElC7MtBMpDCjLr6AN7gZ4qCReifMEvGq/DjRfag= X-Yahoo-Newman-Id: 963491.19788.bm@smtp142.mail.ukl.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: FOHHvhgVM1lEtwZaBLmm_7gKwKwGjAdYIujzN5Obgw__h55 IIcF8tzLWaCa6z40NkJGutzT3qPf1Pr_kVDNjeNhnKqmrxAVzOxuHZR90ssB _GXZQVxbD48VSe8hDACb2JO_el7CizeZRQtgRtZn_tHsa2pYezI5izrAy3nr v1u2Cm29NU90U3VdONrdeCJS13q0eAMWvPGNIYQOHSuoaHg2uDjMpRI.o8Rr BSC44RaBnO9oA7PvsT.jrpMYJp_3wbXIxXXEV.72mQYbY9NyegTrHCRwpWTE SmEn0r_UUnCRFJmCEhZH.LHKYna_OnT.e2LXZPIgdvqy3CUZpf6IjGGcDluW gGYE9JGkgi8OU.0g7XJ3FGiCKgZmEYmwfwCSd4s8x4oRwC.iBfeS494S82r_ DSApq3NoGWZ5J3Fg6756DGbZJH_TZVsKP.ZuYViYrwXscGbVWTkGwJB_ydVO QcQ3lMTHHnqX0IgbsLUwFajQxucD.g0NMGfA.W_WWt3G6949P7vP.zBS9dEn QASdGCu73PTX4XFhhp_CwfxD9fOBvIXkJibIKegXGjWelYnKI.x19Wzn7f4P jkYqhPQ1NDQ-- X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [172.16.0.150] (laszlo_danielisz@62.77.229.168 with plain) by smtp142.mail.ukl.yahoo.com with SMTP; 30 Nov 2012 12:06:54 +0000 GMT Date: Fri, 30 Nov 2012 13:06:53 +0100 From: Laszlo Danielisz To: Fleuriot Damien Message-ID: <21296179F7C744CE89529A0027FBE9DA@yahoo.com> In-Reply-To: References: <49BF4308335C496593D1D7C82391C805@yahoo.com> Subject: Re: pfctl -s rules X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 12:07:02 -0000 Nothing is displayed ktulu# pfctl -nf /etc/pf.conf ktulu# -- Laszlo Danielisz Sent with Sparrow (http://www.sparrowmailapp.com/?sig) On 2012 November 30 Friday at 12:02 PM, Fleuriot Damien wrote: > > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz wrote: > > > Hi Everybody, > > > > Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled. > > Take a look what is happening: > > > > ktulu# pfctl -s rules > > No ALTQ support in kernel > > ALTQ related functions disabled > > ktulu# pfctl -e > > No ALTQ support in kernel > > ALTQ related functions disabled > > pfctl: pf already enabled > > > > ktulu# uname -a > > FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root@i386-builder.daemonology.net (mailto:root@i386-builder.daemonology.net):/usr/obj/usr/src/sys/GENERIC i386 > > > > > > > > Do you have any idea why I can not see them? > > > > Thx! > > Laszlo > > > > > > > Actually, I believe you can see your rules, all the 0 of them. > > Try pfctl -nf /etc/pf.conf > > See if you have an error when loading the rules, that would explain it all. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 12:09:49 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C392B04 for ; Fri, 30 Nov 2012 12:09:49 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) by mx1.freebsd.org (Postfix) with ESMTP id 902DA8FC13 for ; Fri, 30 Nov 2012 12:09:47 +0000 (UTC) Received: by mail-wi0-f180.google.com with SMTP id hj13so173746wib.13 for ; Fri, 30 Nov 2012 04:09:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=OzTaH403Iq/eXdQxYQh+K8quh0aCo1IKvjuoaDgqB+g=; b=CbvCTLR+hIHqamtqK8RF5OHmc32Hn3iQMFAandDP9QXfEeH36h+ge2Dx/khwOBbLZs 9nLQj24CeYq5jSI8MLjPXX/Y6vqrsKzGL50GjRJBMPGZ4mqTzHXZvfwgoFpRdN+fow6k xLmJ/jKaJH41pxLDj6sy4BW6p1qekNzhr0UPIh1/7iuHorrMQaLqFy7dkqDab88tlipE 6V/01lzS7ssizMkpL385zRaShgvMcUstAIn8LzkT4uiCsGLDRkEohX/JNgcsEzqIidLO UjT2Rru0sYniKAL8vsJHUb/B9HzkHFIvZGwV2Dqr4xb9HdPRlrtAeTxb+UmssgkQAZXL /R6g== Received: by 10.216.143.101 with SMTP id k79mr381031wej.179.1354277386706; Fri, 30 Nov 2012 04:09:46 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id y3sm15005340wix.6.2012.11.30.04.09.44 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 04:09:45 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: pfctl -s rules From: Fleuriot Damien In-Reply-To: <21296179F7C744CE89529A0027FBE9DA@yahoo.com> Date: Fri, 30 Nov 2012 13:09:43 +0100 Message-Id: References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <21296179F7C744CE89529A0027FBE9DA@yahoo.com> To: Laszlo Danielisz X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQnU0XbeOgUS7irz0gyZCE/LIQF+oG8i8SUzKMIdapt9mjEMjcDmtkf1c6vnGlnIb1Xyy0iv Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 12:09:49 -0000 Okay kindly paste: # pfctl -vnf /etc/pf.conf Let's see if your rules show up. If that works, try # pfctl -f /etc/pf.conf Be aware this will should load your rules and enable them, be careful = not to cut yourself off. If this works, a likely explanation is that pf tried to load rules at = boot and failed for some reason (interface not created at the time, for = example). Also post: # grep pf /etc/rc.conf On Nov 30, 2012, at 1:06 PM, Laszlo Danielisz = wrote: > Nothing is displayed=20 >=20 > ktulu# pfctl -nf /etc/pf.conf > ktulu#=20 >=20 > --=20 > Laszlo Danielisz > Sent with Sparrow >=20 > On 2012 November 30 Friday at 12:02 PM, Fleuriot Damien wrote: >=20 >>=20 >> On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz = wrote: >>=20 >>> Hi Everybody, >>>=20 >>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>> Take a look what is happening: >>>=20 >>> ktulu# pfctl -s rules >>> No ALTQ support in kernel >>> ALTQ related functions disabled >>> ktulu# pfctl -e >>> No ALTQ support in kernel >>> ALTQ related functions disabled >>> pfctl: pf already enabled >>>=20 >>> ktulu# uname -a >>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: = Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>=20 >>>=20 >>>=20 >>> Do you have any idea why I can not see them? >>>=20 >>> Thx! >>> Laszlo >>=20 >>=20 >>=20 >> Actually, I believe you can see your rules, all the 0 of them. >>=20 >> Try pfctl -nf /etc/pf.conf >>=20 >> See if you have an error when loading the rules, that would explain = it all. >=20 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 12:17:00 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A934BBA5 for ; Fri, 30 Nov 2012 12:17:00 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 4F88B8FC08 for ; Fri, 30 Nov 2012 12:17:00 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 08F4428427; Fri, 30 Nov 2012 13:16:53 +0100 (CET) Received: from [192.168.1.2] (unknown [89.177.49.69]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 3660E28422; Fri, 30 Nov 2012 13:16:52 +0100 (CET) Message-ID: <50B8A3B3.6000507@quip.cz> Date: Fri, 30 Nov 2012 13:16:51 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Laszlo Danielisz Subject: Re: pfctl -s rules References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <21296179F7C744CE89529A0027FBE9DA@yahoo.com> In-Reply-To: <21296179F7C744CE89529A0027FBE9DA@yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 12:17:00 -0000 Laszlo Danielisz wrote: > Nothing is displayed > > ktulu# pfctl -nf /etc/pf.conf > ktulu# It is better to use verbose command (will show you parsed rules as well as some errors) pfctl -nvvf /etc/pf.conf If you see your rules with above command, but rules are not loaded at boot, then you have some error in /etc/rc.conf (you need at least pf_enable="YES") Manually try `service pf reload` or `service pf restart` Miroslav Lachman From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 12:20:27 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 21207CEB for ; Fri, 30 Nov 2012 12:20:27 +0000 (UTC) (envelope-from tfgoncalves@yahoo.com.br) Received: from nm37-vm3.bullet.mail.gq1.yahoo.com (nm37-vm3.bullet.mail.gq1.yahoo.com [98.136.216.238]) by mx1.freebsd.org (Postfix) with ESMTP id A61FE8FC12 for ; Fri, 30 Nov 2012 12:20:26 +0000 (UTC) Received: from [98.137.12.55] by nm37.bullet.mail.gq1.yahoo.com with NNFMP; 30 Nov 2012 12:20:20 -0000 Received: from [208.71.42.211] by tm15.bullet.mail.gq1.yahoo.com with NNFMP; 30 Nov 2012 12:20:20 -0000 Received: from [127.0.0.1] by smtp222.mail.gq1.yahoo.com with NNFMP; 30 Nov 2012 12:20:20 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.br; s=s1024; t=1354278020; bh=hbYy9OrndCB5qo/bQuQuP0f3cCs3KZayCa1XfUx7+60=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Bjnis97wed111zwQ122R9/W42Y61rgQkKfo0qrNMXBFS8I/G0X+U1tOYmb+lF/ruRietKm7AaZr7MS2hdbndFCkMvEfUnHzhWWB4k1Q9H/20cFRBF5UCu61I0qW5NuEqGymdpmHOvRGZOvtyG/BT/7d0WD0VdV0aDQViEpRrd+8= X-Yahoo-Newman-Id: 41345.32871.bm@smtp222.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: SDHRjVEVM1lvY2kjTXafBvkAq8g.Gk1tT7WxKb5i8InEfgh _QtD_9zKYE5GP9M6lvywKStT26fFUeVSvMXmwrJ.xRLfLGYL0jcHW4zYF9vH TcNpfivu6.QJS5a8jCJWXsZRVc48D3jfr5wPTJGROzlY2GTdxFxTqBdTbtp9 KDuB6hD7XV_9RLGS1BXpKlZq1VqUMLbWZ5hTngxXie18BMzPSQ1cXrrymd_G n9dnP7TRUtYbGj5sCzdXQkvRjo.rrhMxrmuxi8Xx9XPz.B_N7e67o.VFgEYh uTQSNS5bWGWw3.98joT2k7W7DvZt_oxmz8qydEELYjLusL.tVpOytKg35Cj3 r8G9dK58c4Dyc8dbNh3AlrTKHOMHZyR4KWaYcMtuML8A_wioKFORPu2J.NFu A46NGWA.3BgNks75vWlO_.6Ug0v9yu14N0CEETng5i14pi8UQlIFomXiuquL yF9x6_.E_DRdhL8G6vaNir7YOz0XMg51ceJtP6xZsKxg5CA-- X-Yahoo-SMTP: yejC.yGswBDzcY.VmwcuyKwGCegnB.Xy Received: from [186.250.58.220] (tfgoncalves@186.250.58.220 with plain) by smtp222.mail.gq1.yahoo.com with SMTP; 30 Nov 2012 04:20:19 -0800 PST Message-ID: <50B8A47E.8060604@yahoo.com.br> Date: Fri, 30 Nov 2012 10:20:14 -0200 From: Tiago Felipe User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.10) Gecko/20121027 Icedove/10.0.10 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Re: pfctl -s rules References: <49BF4308335C496593D1D7C82391C805@yahoo.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 12:20:27 -0000 On 11/30/2012 09:02 AM, Fleuriot Damien wrote: > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz wrote: > >> Hi Everybody, >> >> Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled. >> Take a look what is happening: >> >> ktulu# pfctl -s rules >> No ALTQ support in kernel >> ALTQ related functions disabled >> ktulu# pfctl -e >> No ALTQ support in kernel >> ALTQ related functions disabled >> pfctl: pf already enabled >> >> ktulu# uname -a >> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >> >> >> >> Do you have any idea why I can not see them? >> >> Thx! >> Laszlo > > > Actually, I believe you can see your rules, all the 0 of them. > > Try pfctl -nf /etc/pf.conf > > See if you have an error when loading the rules, that would explain it all. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" # pfctl -s all the device is loaded? # kldload pf.ko or recompile the kernel device pf device pflog device pfsync after that reload the rules wtih # pfctl -nf /etc/pf.conf and see if change something. sorry, my english sux. -- Att, Tiago Felipe Gonçalves. Gerente de Infraestrutura de TI. +55 19 99196494 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 12:23:21 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9F331D66 for ; Fri, 30 Nov 2012 12:23:21 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 25FE98FC15 for ; Fri, 30 Nov 2012 12:23:20 +0000 (UTC) Received: by mail-we0-f182.google.com with SMTP id u54so156006wey.13 for ; Fri, 30 Nov 2012 04:23:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=TWx7BowUSvtq7iImWrooe0LauNbPZ0m1vL445WRIYgs=; b=hQBJEfWRIhDkQTDBgqnFqXuNdjhUpkkRQp43r5JDCIEAs5Jrp6QJoxJxaNr2+jJow5 P4tQlK4Bgb08EzaNwnP+UHuxJd/5Db+Lox0XzJzjcXVMPgOANr0aqkxUdT2sniToJZXS HoYp+eUkZf+GS5zjQLKjG8YSp288JHEV1fRmBB0DS9KsSf/DI6Hm2J9tNce/cfrtm1NE QFM+aq7Zrp+2vxPb2Vdk/1WC+k03IlK1bDN2AJlG0eA/y9iqM0RxNzExe++hstIym/lE +Kv01ebuwVNg3HMxlyqZivF7EsHQB2ULLz5kholpRpcPm5wFmZJqWx5S2Csi8FdZV1zD 1CAg== Received: by 10.216.194.170 with SMTP id m42mr425356wen.30.1354278200194; Fri, 30 Nov 2012 04:23:20 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id p3sm15049246wic.8.2012.11.30.04.23.17 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 04:23:18 -0800 (PST) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: pfctl -s rules From: Fleuriot Damien In-Reply-To: <50B8A47E.8060604@yahoo.com.br> Date: Fri, 30 Nov 2012 13:23:16 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> To: Tiago Felipe X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQnoYfK33NJcpjrCndgf25neeisetafGGmltNRnyItuuit+GBT1z85yQstNV4Q9VrFJQ3Yoh Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 12:23:21 -0000 On Nov 30, 2012, at 1:20 PM, Tiago Felipe = wrote: > On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >> On Nov 30, 2012, at 12:00 PM, Laszlo = Danielisz wrote: >>=20 >>> Hi Everybody, >>>=20 >>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>> Take a look what is happening: >>>=20 >>> ktulu# pfctl -s rules >>> No ALTQ support in kernel >>> ALTQ related functions disabled >>> ktulu# pfctl -e >>> No ALTQ support in kernel >>> ALTQ related functions disabled >>> pfctl: pf already enabled >>>=20 >>> ktulu# uname -a >>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: = Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>=20 >>>=20 >>>=20 >>> Do you have any idea why I can not see them? >>>=20 >>> Thx! >>> Laszlo >>=20 >>=20 >> Actually, I believe you can see your rules, all the 0 of them. >>=20 >> Try pfctl -nf /etc/pf.conf >>=20 >> See if you have an error when loading the rules, that would explain = it all. >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > # pfctl -s all >=20 > the device is loaded? >=20 > # kldload pf.ko >=20 > or recompile the kernel >=20 > device pf > device pflog > device pfsync >=20 > after that reload the rules wtih # pfctl -nf /etc/pf.conf and see if = change something. >=20 > sorry, my english sux. >=20 > --=20 > Att, > Tiago Felipe Gon=E7alves. > Gerente de Infraestrutura de TI. > +55 19 99196494 His pfctl -si shows pf is enabled so either the module loaded fine, or = he has device pf in his kernel config. I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf = /etc/pf.conf ;) Also note that pfctl -nf /etc/pf.conf doesn't actually load the rules, = the -n flag makes it only parse the rules and show errors. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 12:43:17 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13F8D2EF for ; Fri, 30 Nov 2012 12:43:17 +0000 (UTC) (envelope-from tfgoncalves@yahoo.com.br) Received: from nm14-vm0.bullet.mail.bf1.yahoo.com (nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164]) by mx1.freebsd.org (Postfix) with ESMTP id A10158FC08 for ; Fri, 30 Nov 2012 12:43:15 +0000 (UTC) Received: from [98.139.215.141] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 30 Nov 2012 12:40:18 -0000 Received: from [98.139.213.13] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 30 Nov 2012 12:40:18 -0000 Received: from [127.0.0.1] by smtp113.mail.bf1.yahoo.com with NNFMP; 30 Nov 2012 12:40:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.br; s=s1024; t=1354279218; bh=F9ib5XaHh0v7c15HUk3yUdYmAMb4zw4tLLqSxWWbS88=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type; b=22k01/OPE3vi46y0C0gfjxYYjkzpqz+MvSb7hI8N3m0j1UfepT7O2KMgAVtsrdE0plFVTtV7kzMFgAQPsTMYf6KnIE9J3QPPSIrbc8t43pMH56KtfJkAjbHQKyCgcELk4iZ8srIo/s9AkZN4/tQ8X05QPyAZBWA1HbsHRNmS5LU= X-Yahoo-Newman-Id: 574865.60808.bm@smtp113.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 5gveWVkVM1lDQaEgNfPikjJOm_rp3uBCWCn5WVIg.qx10VA bOODEw3NncUPUM4LahQll9o_6eBbkSrlwxZdBJinG3vyz43aw4S1SwWcrS66 2LXkGsXAAXo.ne7sa69EFrtpxTLe.B.IdKS2fPG6obvPwFyEvv.IGxmlNpXp XgUcomPFbUFaee7v0x3hzVecsHM92Q.mIjHNo9LDZzTKTEy1ViXmyfDDRQhu 6EO0Xs1PdPwdQChMVzCbv9gKIcJLxsI3Q.b3yb0ziS4sXXc3Sp1_jrjSVf3o 3Od8FXimnmHbHhhTqWsvYFpK05_VKPCQuVx3jeWA4snBGmTe_mZsJtbNEA6R 73ghtD8njecTlP78thC0RM03lPGbdS.Up4BoDAd4HHxv8q6xVT7o2VqzDv9z QWPVdFVxxjQ5nutqVUSlNcx0FlpxCORSTV7ZG4JgTr4L6e.B3N.UT9NK5s7E 57.V0Jc7xUs1wH2wyJ_ZZwW5bTbyFkXJMcIRieMT9uW2vdGkunWHDJm5oJAO vBsM59HkniWAJE6CVl.7CcA-- X-Yahoo-SMTP: yejC.yGswBDzcY.VmwcuyKwGCegnB.Xy Received: from [186.250.58.220] (tfgoncalves@186.250.58.220 with plain) by smtp113.mail.bf1.yahoo.com with SMTP; 30 Nov 2012 04:40:18 -0800 PST Message-ID: <50B8A92C.5090500@yahoo.com.br> Date: Fri, 30 Nov 2012 10:40:12 -0200 From: Tiago Felipe User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.10) Gecko/20121027 Icedove/10.0.10 MIME-Version: 1.0 To: Fleuriot Damien Subject: Re: pfctl -s rules References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> In-Reply-To: <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 12:43:17 -0000 On 11/30/2012 10:23 AM, Fleuriot Damien wrote: > On Nov 30, 2012, at 1:20 PM, Tiago Felipe wrote: > >> On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >>> On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz wrote: >>> >>>> Hi Everybody, >>>> >>>> Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled. >>>> Take a look what is happening: >>>> >>>> ktulu# pfctl -s rules >>>> No ALTQ support in kernel >>>> ALTQ related functions disabled >>>> ktulu# pfctl -e >>>> No ALTQ support in kernel >>>> ALTQ related functions disabled >>>> pfctl: pf already enabled >>>> >>>> ktulu# uname -a >>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>> >>>> >>>> >>>> Do you have any idea why I can not see them? >>>> >>>> Thx! >>>> Laszlo >>> >>> Actually, I believe you can see your rules, all the 0 of them. >>> >>> Try pfctl -nf /etc/pf.conf >>> >>> See if you have an error when loading the rules, that would explain it all. >>> >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> # pfctl -s all >> >> the device is loaded? >> >> # kldload pf.ko >> >> or recompile the kernel >> >> device pf >> device pflog >> device pfsync >> >> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see if change something. >> >> sorry, my english sux. >> >> -- >> Att, >> Tiago Felipe Gonçalves. >> Gerente de Infraestrutura de TI. >> +55 19 99196494 > > His pfctl -si shows pf is enabled so either the module loaded fine, or he has device pf in his kernel config. > > I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf /etc/pf.conf ;) > > Also note that pfctl -nf /etc/pf.conf doesn't actually load the rules, the -n flag makes it only parse the rules and show errors. > sorry for my failure with -n flag, i've seen mistakes on small things,not cost check =] but -nf will show errors, rc.conf will be useful and pfctl -s all, give us a lot of info about. -- Att, Tiago. From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 13:17:32 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 760A1C3C for ; Fri, 30 Nov 2012 13:17:32 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm10-vm0.bullet.mail.ukl.yahoo.com (nm10-vm0.bullet.mail.ukl.yahoo.com [217.146.183.242]) by mx1.freebsd.org (Postfix) with ESMTP id 7FFCE8FC14 for ; Fri, 30 Nov 2012 13:17:30 +0000 (UTC) Received: from [217.146.183.208] by nm10.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 13:17:30 -0000 Received: from [77.238.184.78] by tm1.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 13:17:30 -0000 Received: from [127.0.0.1] by smtp147.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 13:17:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354281450; bh=nVytvLnwaUOCvNCvDEDtTYqV5oMsLv9hcBvqxhi4lH0=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject:X-Mailer:MIME-Version:Content-Type; b=0pMp9o/LutXt81z52ZTEZFh3ur05zN5qrnnFPG13iv9qkNODYHeLL4ItlVKv/0rv0HJcp2TfcC+xHqtzBAGUIB8GYb/Wh7AKCQg20QegNOzQuSHlpy+OmlyIVSctNgSXKrgHz6PoHYpYfptpssNW8ZAI2yLJAWf9465Ot89sr9o= X-Yahoo-Newman-Id: 202229.37790.bm@smtp147.mail.ukl.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: v.Vu2pEVM1kUZ79Q590YrXF5nUPTQwYyABenM6k8nvlLDRP J3jXkL5PR2JskMI3PaXooVepAJ7M6r8h1NnZG4ZnfWIpNRjgdd2PJgATEu_r DPeR.3xG.lnDY3cAuwjRXLcMDF.v0XX2lnFKu8nSjYsM1X1Y3hJbUOr3erUe oRRaThzLNNlYa7XrsAOjivJgPScr99Fv6gq4Rpo47zFgPRvUwu77.K8W_Zib urqkn07zk7kGmHZdRAEvywJvSGpu.jhkP1f.52CMhaEkI8b29dl0DVVb79mv 1CTRqo10encu1lkdPdiW0zF7SNJJPEqqJ2_NY9CrQa76lgp3nlkTH_.KQpCt QjtyOPzrblS9JW9H43V484skyp6nzOr6ebGsWpOpCWT089qLaCCC7pezRzWP XwaTg.9lIai2PlcGkbvKiwBg4QsLiV0h6SnDz4cawT.yLaT_q0jmTw2Cr8s5 SWpky6pPwsbR03lJW0dyOMWzZxef4b7yRTKgAdNFg1PpSr0ziW4d1bnM_IR_ cF3AjcGzS2D20X4OA2GEm1_fYJM7WU1g8Vo_i7SW.O7WMbETP9X8IrMStBo3 M8SEbIUEIvA-- X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [172.16.0.150] (laszlo_danielisz@62.77.229.168 with plain) by smtp147.mail.ukl.yahoo.com with SMTP; 30 Nov 2012 13:17:29 +0000 GMT Date: Fri, 30 Nov 2012 14:17:28 +0100 From: Laszlo Danielisz To: Tiago Felipe Message-ID: <983A61AAA3A744F78601A2488F54CF85@yahoo.com> In-Reply-To: <50B8A92C.5090500@yahoo.com.br> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> Subject: Re: pfctl -s rules X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 13:17:32 -0000 Thank you very much for your help=21 =20 pf is loaded to the kernel: ktulu=23 kldstat=7Cgrep pf =20 38 1 0xc4b41000 3000 pflog.ko 39 1 0xc4b44000 35000 pf.ko and pfctl -vnf /etc/pf.conf did work, though I don't want to paste here t= he whole result :) Here is the output of grep ktulu=23 grep pf /etc/rc.conf =20 =23pf pf=5Fenable=3D=22YES=22 pf=5Frules=3D=22/etc/pf.conf=22 pf=5Fflags=3D=22=22 pflog=5Fenable=3D=22YES=22 pflog=5Flogfile=3D=22/var/log/pflog=22 pflog=5Fflags=3D=22=22 I wonder why it doesn't start on boot time=3F -- =20 Laszlo Danielisz Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) On 2012 November 30 =46riday at 1:40 PM, Tiago =46elipe wrote: > On 11/30/2012 10:23 AM, =46leuriot Damien wrote: > > On Nov 30, 2012, at 1:20 PM, Tiago =46elipe wrote: > > =20 > > > On 11/30/2012 09:02 AM, =46leuriot Damien wrote: > > > > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz wrote: > > > > =20 > > > > > Hi Everybody, > > > > > =20 > > > > > Recently I've discover the following issues: I can't display my= firewalls rules, and the firewall is enabled. > > > > > Take a look what is happening: > > > > > =20 > > > > > ktulu=23 pfctl -s rules > > > > > No ALTQ support in kernel > > > > > ALTQ related functions disabled > > > > > ktulu=23 pfctl -e > > > > > No ALTQ support in kernel > > > > > ALTQ related functions disabled > > > > > pfctl: pf already enabled > > > > > =20 > > > > > ktulu=23 uname -a > > > > > =46reeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 =46reeBSD 8.3-RELEA= SE-p3 =230: Mon Jun 11 23:52:38 UTC 2012 root=40i386-builder.daemonology.= net (mailto:root=40i386-builder.daemonology.net):/usr/obj/usr/src/sys/GEN= ERIC i386 > > > > > =20 > > > > > =20 > > > > > =20 > > > > > Do you have any idea why I can not see them=3F > > > > > =20 > > > > > Thx=21 > > > > > Laszlo > > > > > =20 > > > > =20 > > > > =20 > > > > Actually, I believe you can see your rules, all the 0 of them. > > > > =20 > > > > Try pfctl -nf /etc/pf.conf > > > > =20 > > > > See if you have an error when loading the rules, that would expla= in it all. > > > > =20 > > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= > > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org) mailin= g list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscribe=40free= bsd.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > > =20 > > > =20 > > > =23 pfctl -s all > > > =20 > > > the device is loaded=3F > > > =20 > > > =23 kldload pf.ko > > > =20 > > > or recompile the kernel > > > =20 > > > device pf > > > device pflog > > > device pfsync > > > =20 > > > after that reload the rules wtih =23 pfctl -nf /etc/pf.conf and see= if change something. > > > =20 > > > sorry, my english sux. > > > =20 > > > -- =20 > > > Att, > > > Tiago =46elipe Gon=C3=A7alves. > > > Gerente de Infraestrutura de TI. > > > +55 19 99196494 > > > =20 > > =20 > > =20 > > His pfctl -si shows pf is enabled so either the module loaded fine, o= r he has device pf in his kernel config. > > =20 > > I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf /etc/p= f.conf ;) > > =20 > > Also note that pfctl -nf /etc/pf.conf doesn't actually load the rules= , the -n flag makes it only parse the rules and show errors. > sorry for my failure with -n flag, i've seen mistakes on small =20 > things,not cost check =3D=5D > but -nf will show errors, rc.conf will be useful and pfctl -s all, give= =20 > us a lot of info about. > =20 > -- =20 > Att, > Tiago. > =20 > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org) mailing list= > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to =22freebsd-pf-unsubscribe=40freebsd.or= g (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > =20 > =20 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 13:20:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C78BACB2 for ; Fri, 30 Nov 2012 13:20:40 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) by mx1.freebsd.org (Postfix) with ESMTP id 4C5698FC08 for ; Fri, 30 Nov 2012 13:20:39 +0000 (UTC) Received: by mail-wi0-f180.google.com with SMTP id hj13so205708wib.13 for ; Fri, 30 Nov 2012 05:20:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=wslA5UHw7Fx/OO48XqJgX5pNYJ1MggzFHADDowsG3hA=; b=Salt7i5rQqYk9zIsMpQrCOjvg7G3Aa6OWG2xwvmJXRJr84I2HhQJyVZgrmKuiGBjCU myMYquBSsNBSmzlHlmFWdrrzPiBLy163WQRoI7+UtUFWhxvxifQ2t4QIGxE1hvveaKsO 6BNxEKbaAKPXqZlHOE48YJh+uQEcIDl8CncagtKIkFiUsuGCqfe0nWwt8dkRsRpT97AO JZc+hRl58Gj+YcN2ZrOTwajQN+tq0kxA2E6exN5Q1TWO7It9DTl7K10O2CqRa0+ycH88 J7wVn7t95wA7Jabkye86hEEjb4T2xbNUKVnYlj0HnOqccUPFodxmOHdOGE6gVS/LuHbu 36AQ== Received: by 10.180.86.36 with SMTP id m4mr31040995wiz.5.1354281638671; Fri, 30 Nov 2012 05:20:38 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id b1sm6997587wix.11.2012.11.30.05.20.35 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 05:20:37 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: pfctl -s rules From: Fleuriot Damien In-Reply-To: <983A61AAA3A744F78601A2488F54CF85@yahoo.com> Date: Fri, 30 Nov 2012 14:20:35 +0100 Message-Id: <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> To: Laszlo Danielisz X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQmErK/Evh08d5Vwr6dhcj/GV/ZwVmChX1JLWUU36yMT14ZrVJWkXuRT3HPVLzxo9JWbSsao Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 13:20:40 -0000 It likely tries to apply rules on an interface that doesn't exist yet = (for example openvpn's tun). There's also the chance your rules contain a fully qualified domain = name, say example.com PF tries to load its rules, DNS resolution is not up yet, FQDN fails to = resolve to anything meaningful, rules fail to laod. Review your rules for any non-physical interfaces (tun, gif) and domain = names. On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz = wrote: > Thank you very much for your help! >=20 > pf is loaded to the kernel: > ktulu# kldstat|grep pf =20 > 38 1 0xc4b41000 3000 pflog.ko > 39 1 0xc4b44000 35000 pf.ko >=20 > and pfctl -vnf /etc/pf.conf did work, though I don't want to paste = here the whole result :) >=20 > Here is the output of grep >=20 > ktulu# grep pf /etc/rc.conf =20 > #pf > pf_enable=3D"YES" > pf_rules=3D"/etc/pf.conf" > pf_flags=3D"" > pflog_enable=3D"YES" > pflog_logfile=3D"/var/log/pflog" > pflog_flags=3D"" >=20 > I wonder why it doesn't start on boot time? > --=20 > Laszlo Danielisz > Sent with Sparrow >=20 > On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote: >=20 >> On 11/30/2012 10:23 AM, Fleuriot Damien wrote: >>> On Nov 30, 2012, at 1:20 PM, Tiago Felipe = wrote: >>>=20 >>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >>>>> On Nov 30, 2012, at 12:00 PM, Laszlo = Danielisz wrote: >>>>>=20 >>>>>> Hi Everybody, >>>>>>=20 >>>>>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>>>>> Take a look what is happening: >>>>>>=20 >>>>>> ktulu# pfctl -s rules >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> ktulu# pfctl -e >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> pfctl: pf already enabled >>>>>>=20 >>>>>> ktulu# uname -a >>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 = #0: Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> Do you have any idea why I can not see them? >>>>>>=20 >>>>>> Thx! >>>>>> Laszlo >>>>>=20 >>>>> Actually, I believe you can see your rules, all the 0 of them. >>>>>=20 >>>>> Try pfctl -nf /etc/pf.conf >>>>>=20 >>>>> See if you have an error when loading the rules, that would = explain it all. >>>>>=20 >>>>> _______________________________________________ >>>>> freebsd-pf@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>> # pfctl -s all >>>>=20 >>>> the device is loaded? >>>>=20 >>>> # kldload pf.ko >>>>=20 >>>> or recompile the kernel >>>>=20 >>>> device pf >>>> device pflog >>>> device pfsync >>>>=20 >>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see = if change something. >>>>=20 >>>> sorry, my english sux. >>>>=20 >>>> -- >>>> Att, >>>> Tiago Felipe Gon=E7alves. >>>> Gerente de Infraestrutura de TI. >>>> +55 19 99196494 >>>=20 >>> His pfctl -si shows pf is enabled so either the module loaded fine, = or he has device pf in his kernel config. >>>=20 >>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf = /etc/pf.conf ;) >>>=20 >>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the = rules, the -n flag makes it only parse the rules and show errors. >> sorry for my failure with -n flag, i've seen mistakes on small >> things,not cost check =3D] >> but -nf will show errors, rc.conf will be useful and pfctl -s all, = give >> us a lot of info about. >>=20 >> -- >> Att, >> Tiago. >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 13:30:40 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E59BE44 for ; Fri, 30 Nov 2012 13:30:40 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm21-vm2.bullet.mail.ird.yahoo.com (nm21-vm2.bullet.mail.ird.yahoo.com [212.82.108.206]) by mx1.freebsd.org (Postfix) with ESMTP id BF92B8FC17 for ; Fri, 30 Nov 2012 13:30:38 +0000 (UTC) Received: from [77.238.189.48] by nm21.bullet.mail.ird.yahoo.com with NNFMP; 30 Nov 2012 13:30:38 -0000 Received: from [217.146.188.170] by tm1.bullet.mail.ird.yahoo.com with NNFMP; 30 Nov 2012 13:30:38 -0000 Received: from [127.0.0.1] by smtp138.mail.ird.yahoo.com with NNFMP; 30 Nov 2012 13:30:37 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354282237; bh=rsVLn5lw4EBGIhlle+rH1gvG/UsZBjBybIuEl2U9LSs=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject:X-Mailer:MIME-Version:Content-Type; b=1GxOvjA77zgQCOIeuCjdQA59G7kaSl6T2dMghrSDMVFAwseiWh+uWU/f7xFc+I6f4Qy9ifkBVbaKwI2CRm7xg0tmPw2SBNQPjVMUaNybWplwbieNVlneKPePETyeclObUuUDmO+bmo4t8uaeix2tvI0bEVHqWZKuH+vM5lOioIk= X-Yahoo-Newman-Id: 981435.50685.bm@smtp138.mail.ird.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: Jq1dtOcVM1kncTEomSJTqLz5_y6likpsGquvJQlM6gKxNn9 bjZPSySz061G_SH_JNLxitBq9YhUUEz16Xpy9Qy4GpfM9ySUcUdGcW8lpni4 q93CtHUpg194HmTsCF9k7r5MiHV86whReckxw6aknbncpBRrZRf1BI8XEvsU nkE0L2QFT391w22_iWf9vaOaC4ZroJH9u30mPm1fDdfc7zgsfL7B6anZgZl8 ylEC1mJ4P2d2RhgyXJZS5FRQK.GzPO3CMh00NRgdlDVkQ_f9U6HXwueOJVXX Hdz6axMK_prFTQD15kOE0YKKnfBp28twyZtFsrNarmO1swPqNJf21r0CMIAd .cndNWr4t0Iycr1kwOIFRzFAveYpavfKuht5wSa9vRg.Au5ze9A_.5txH7kl q5McmO7TB5w7tgSzVxEwsbc5fksbhvQrWwIEuVdRh44hRVCODDmvJgowW5_e YGbOzKp3lvBxyMecx8INtTCostZUYxLhv8.fN08eScEd_de9ZU81ZSEXdTpE CqK6VX9e_IN4BX9efCjyjNPkFgGDeiTIdcawxlvxcpljWwlydDpWVeETO0bV uX0hjQB2QvHrYYRVhDdeU84gic9qSlgYPAxAMAVC5ISFlRuvEOupJ65rr58W pfi3fktjoly1BjPO8YdCr31wAcDano4jOIKovgN9p8oppiOnR X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [172.16.0.150] (laszlo_danielisz@62.77.229.168 with plain) by smtp138.mail.ird.yahoo.com with SMTP; 30 Nov 2012 05:30:37 -0800 PST Date: Fri, 30 Nov 2012 14:30:36 +0100 From: Laszlo Danielisz To: Fleuriot Damien Message-ID: In-Reply-To: <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> Subject: Re: pfctl -s rules X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 13:30:40 -0000 Good idea, let me check. One more think, while pfctl -vnf /etc/pf.conf how can I list the port num= bers instead of the protocol=3F ex: pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port =3D= ftp flags S/SA keep state I want to see port =3D 21 instead of port =3D ftp =20 -- =20 Laszlo Danielisz Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) On 2012 November 30 =46riday at 2:20 PM, =46leuriot Damien wrote: > It likely tries to apply rules on an interface that doesn't exist yet (= for example openvpn's tun). > =20 > There's also the chance your rules contain a fully qualified domain nam= e, say example.com (http://example.com) > P=46 tries to load its rules, DNS resolution is not up yet, =46QDN fail= s to resolve to anything meaningful, rules fail to laod. > =20 > Review your rules for any non-physical interfaces (tun, gif) and domain= names. > =20 > =20 > On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz wrote: > > Thank you very much for your help=21 =20 > > =20 > > pf is loaded to the kernel: > > ktulu=23 kldstat=7Cgrep pf =20 > > 38 1 0xc4b41000 3000 pflog.ko > > 39 1 0xc4b44000 35000 pf.ko > > =20 > > =20 > > and pfctl -vnf /etc/pf.conf did work, though I don't want to paste he= re the whole result :) > > =20 > > Here is the output of grep > > =20 > > ktulu=23 grep pf /etc/rc.conf =20 > > =23pf > > pf=5Fenable=3D=22YES=22 > > pf=5Frules=3D=22/etc/pf.conf=22 > > pf=5Fflags=3D=22=22 > > pflog=5Fenable=3D=22YES=22 > > pflog=5Flogfile=3D=22/var/log/pflog=22 > > pflog=5Fflags=3D=22=22 > > =20 > > =20 > > I wonder why it doesn't start on boot time=3F > > -- =20 > > Laszlo Danielisz > > Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) > > =20 > > =20 > > On 2012 November 30 =46riday at 1:40 PM, Tiago =46elipe wrote: > > =20 > > > On 11/30/2012 10:23 AM, =46leuriot Damien wrote: > > > > On Nov 30, 2012, at 1:20 PM, Tiago =46elipe wrote: > > > > =20 > > > > > On 11/30/2012 09:02 AM, =46leuriot Damien wrote: > > > > > > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz wrote: > > > > > > =20 > > > > > > > Hi Everybody, > > > > > > > =20 > > > > > > > Recently I've discover the following issues: I can't displa= y my firewalls rules, and the firewall is enabled. > > > > > > > Take a look what is happening: > > > > > > > =20 > > > > > > > ktulu=23 pfctl -s rules > > > > > > > No ALTQ support in kernel > > > > > > > ALTQ related functions disabled > > > > > > > ktulu=23 pfctl -e > > > > > > > No ALTQ support in kernel > > > > > > > ALTQ related functions disabled > > > > > > > pfctl: pf already enabled > > > > > > > =20 > > > > > > > ktulu=23 uname -a > > > > > > > =46reeBSD ktulu.danielisz.eu (http://ktulu.danielisz.eu) 8.= 3-RELEASE-p3 =46reeBSD 8.3-RELEASE-p3 =230: Mon Jun 11 23:52:38 UTC 2012 = root=40i386-builder.daemonology.net (mailto:root=40i386-builder.daemonolo= gy.net):/usr/obj/usr/src/sys/GENERIC i386 > > > > > > > =20 > > > > > > > =20 > > > > > > > =20 > > > > > > > Do you have any idea why I can not see them=3F > > > > > > > =20 > > > > > > > Thx=21 > > > > > > > Laszlo > > > > > > > =20 > > > > > > =20 > > > > > > =20 > > > > > > Actually, I believe you can see your rules, all the 0 of them= . > > > > > > =20 > > > > > > Try pfctl -nf /etc/pf.conf > > > > > > =20 > > > > > > See if you have an error when loading the rules, that would e= xplain it all. > > > > > > =20 > > > > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F > > > > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org) ma= iling list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscribe=40= freebsd.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > > > > =20 > > > > > =20 > > > > > =23 pfctl -s all > > > > > =20 > > > > > the device is loaded=3F > > > > > =20 > > > > > =23 kldload pf.ko > > > > > =20 > > > > > or recompile the kernel > > > > > =20 > > > > > device pf > > > > > device pflog > > > > > device pfsync > > > > > =20 > > > > > after that reload the rules wtih =23 pfctl -nf /etc/pf.conf and= see if change something. > > > > > =20 > > > > > sorry, my english sux. > > > > > =20 > > > > > -- =20 > > > > > Att, > > > > > Tiago =46elipe Gon=C3=A7alves. > > > > > Gerente de Infraestrutura de TI. > > > > > +55 19 99196494 > > > > > =20 > > > > =20 > > > > =20 > > > > His pfctl -si shows pf is enabled so either the module loaded fin= e, or he has device pf in his kernel config. > > > > =20 > > > > I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf /e= tc/pf.conf ;) > > > > =20 > > > > Also note that pfctl -nf /etc/pf.conf doesn't actually load the r= ules, the -n flag makes it only parse the rules and show errors. > > > sorry for my failure with -n flag, i've seen mistakes on small =20 > > > things,not cost check =3D=5D > > > but -nf will show errors, rc.conf will be useful and pfctl -s all, = give =20 > > > us a lot of info about. > > > =20 > > > -- =20 > > > Att, > > > Tiago. > > > =20 > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org) mailing = list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscribe=40freebs= d.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > =20 > > =20 > > =20 > =20 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 13:33:39 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05A2510E for ; Fri, 30 Nov 2012 13:33:39 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by mx1.freebsd.org (Postfix) with ESMTP id 7DD1A8FC1B for ; Fri, 30 Nov 2012 13:33:38 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id 12so219629wgh.31 for ; Fri, 30 Nov 2012 05:33:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=3/a3t7v8KadbLnFcrDfkXw40SQnkMaEdl3mUmhAeeAg=; b=fNj8vqwrtGpbJ08OYwnBKnKi0585Y13eFouX9vVhvFf9+IPokcwS0aElk9OlVAH7ex YV6Tc5ZlRcWLkhcz4KJ7rSKyqPWZ+aXuW1oGUs2RaCglxCjg3W81xSSKBQHak/03tqQ3 fIGdyOLy/w6OOVc/8n6FVBsNMveojzKN6kPbaOXTRlTEO3vpHYs1GAHESCVTbmnF0S2n daM33uekcOunfuy7bsi3AJw0Quu//15X+Dd6SNyv/eXGbBuX6bN5X7UZLYFvoLd/P04l QaEG10m3QWyrKoxf0ci74JHOWzOm53yvDjKgvQwgDdmEFTwy+SMczdowDPSwVSPJ5lcz PgSA== Received: by 10.180.88.138 with SMTP id bg10mr2101318wib.13.1354282417237; Fri, 30 Nov 2012 05:33:37 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id hv4sm15285832wib.0.2012.11.30.05.33.35 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 05:33:36 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: pfctl -s rules From: Fleuriot Damien In-Reply-To: Date: Fri, 30 Nov 2012 14:33:34 +0100 Message-Id: References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> To: Laszlo Danielisz X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQlyu/Z9k82bM8Gz4Idap6LkbwL0sc90QqszSAaCoDH0eK+L+pp7EOIWcQsDLHFR7c+ltxv1 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 13:33:39 -0000 -P Enjoy. On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz = wrote: > Good idea, let me check. > One more think, while pfctl -vnf /etc/pf.conf how can I list the port = numbers instead of the protocol? >=20 > ex: > pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port = =3D ftp flags S/SA keep state >=20 > I want to see port =3D 21 instead of port =3D ftp >=20 > --=20 > Laszlo Danielisz > Sent with Sparrow >=20 > On 2012 November 30 Friday at 2:20 PM, Fleuriot Damien wrote: >=20 >> It likely tries to apply rules on an interface that doesn't exist yet = (for example openvpn's tun). >>=20 >> There's also the chance your rules contain a fully qualified domain = name, say example.com >> PF tries to load its rules, DNS resolution is not up yet, FQDN fails = to resolve to anything meaningful, rules fail to laod. >>=20 >> Review your rules for any non-physical interfaces (tun, gif) and = domain names. >>=20 >>=20 >> On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz = wrote: >>=20 >>> Thank you very much for your help! >>>=20 >>> pf is loaded to the kernel: >>> ktulu# kldstat|grep pf =20 >>> 38 1 0xc4b41000 3000 pflog.ko >>> 39 1 0xc4b44000 35000 pf.ko >>>=20 >>> and pfctl -vnf /etc/pf.conf did work, though I don't want to paste = here the whole result :) >>>=20 >>> Here is the output of grep >>>=20 >>> ktulu# grep pf /etc/rc.conf =20 >>> #pf >>> pf_enable=3D"YES" >>> pf_rules=3D"/etc/pf.conf" >>> pf_flags=3D"" >>> pflog_enable=3D"YES" >>> pflog_logfile=3D"/var/log/pflog" >>> pflog_flags=3D"" >>>=20 >>> I wonder why it doesn't start on boot time? >>> --=20 >>> Laszlo Danielisz >>> Sent with Sparrow >>>=20 >>> On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote: >>>=20 >>>> On 11/30/2012 10:23 AM, Fleuriot Damien wrote: >>>>> On Nov 30, 2012, at 1:20 PM, Tiago = Felipe wrote: >>>>>=20 >>>>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >>>>>>> On Nov 30, 2012, at 12:00 PM, Laszlo = Danielisz wrote: >>>>>>>=20 >>>>>>>> Hi Everybody, >>>>>>>>=20 >>>>>>>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>>>>>>> Take a look what is happening: >>>>>>>>=20 >>>>>>>> ktulu# pfctl -s rules >>>>>>>> No ALTQ support in kernel >>>>>>>> ALTQ related functions disabled >>>>>>>> ktulu# pfctl -e >>>>>>>> No ALTQ support in kernel >>>>>>>> ALTQ related functions disabled >>>>>>>> pfctl: pf already enabled >>>>>>>>=20 >>>>>>>> ktulu# uname -a >>>>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD = 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Do you have any idea why I can not see them? >>>>>>>>=20 >>>>>>>> Thx! >>>>>>>> Laszlo >>>>>>>=20 >>>>>>> Actually, I believe you can see your rules, all the 0 of them. >>>>>>>=20 >>>>>>> Try pfctl -nf /etc/pf.conf >>>>>>>=20 >>>>>>> See if you have an error when loading the rules, that would = explain it all. >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> freebsd-pf@freebsd.org mailing list >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>>>> # pfctl -s all >>>>>>=20 >>>>>> the device is loaded? >>>>>>=20 >>>>>> # kldload pf.ko >>>>>>=20 >>>>>> or recompile the kernel >>>>>>=20 >>>>>> device pf >>>>>> device pflog >>>>>> device pfsync >>>>>>=20 >>>>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see = if change something. >>>>>>=20 >>>>>> sorry, my english sux. >>>>>>=20 >>>>>> -- >>>>>> Att, >>>>>> Tiago Felipe Gon=E7alves. >>>>>> Gerente de Infraestrutura de TI. >>>>>> +55 19 99196494 >>>>>=20 >>>>> His pfctl -si shows pf is enabled so either the module loaded = fine, or he has device pf in his kernel config. >>>>>=20 >>>>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf = /etc/pf.conf ;) >>>>>=20 >>>>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the = rules, the -n flag makes it only parse the rules and show errors. >>>> sorry for my failure with -n flag, i've seen mistakes on small >>>> things,not cost check =3D] >>>> but -nf will show errors, rc.conf will be useful and pfctl -s all, = give >>>> us a lot of info about. >>>>=20 >>>> -- >>>> Att, >>>> Tiago. >>>>=20 >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>=20 >>=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Fri Nov 30 13:50:38 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F072B48E for ; Fri, 30 Nov 2012 13:50:38 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm21-vm0.bullet.mail.ukl.yahoo.com (nm21-vm0.bullet.mail.ukl.yahoo.com [217.12.10.32]) by mx1.freebsd.org (Postfix) with ESMTP id 360A38FC12 for ; Fri, 30 Nov 2012 13:50:37 +0000 (UTC) Received: from [217.146.183.183] by nm21.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 13:48:14 -0000 Received: from [217.146.182.85] by tm14.bullet.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 13:48:14 -0000 Received: from [127.0.0.1] by smtp150.mail.ukl.yahoo.com with NNFMP; 30 Nov 2012 13:48:14 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354283294; bh=BNNq+3/YpwkHi0qHsU5ThkzB2N/G0QkeXhXW1LKwuMY=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject:X-Mailer:MIME-Version:Content-Type; b=MCN7u6HBq+2Q12YsdaoyjXqfm6oJWKh4beU0yvbRUH3kDFUPG0mdpWVBovV5m+aJOemFKF0bCNWV3j1rdSddyP+LRFnsbIo5MQe7D/Q1NtZsrwQwl+Ck34ZoFatews9HtwAoziu7Sa5sopzoCLpuELv2YVC3wDd6qEnTGMc8PmQ= X-Yahoo-Newman-Id: 306481.69997.bm@smtp150.mail.ukl.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: cV0g8EgVM1kg6ObNZjMTmBlIb5yagarWcdOMFbhdR4wXSr_ BmNdXlcwL7IEnkK16kDWcsOU3WwjSwBsrOpVvzRPeUzYgMpbKjuc8tb9zNik M9rKBVnOPWa9I.92BsiwCYhaNhzFJFqMfexEVbzaBMlpOh1Km1LrhddewDzG emHJF4mOygJIV2HHJ.2ILO0lL1mRhLh4qG7R7RTx0QXGYDCOw.Excm2zTgV. JYJWjEn7WJUQ2AUGedU31AU59RvxmXCmbZc4RjFid9INzD0xnla9.17qbiEF RAvI6Qe1rfpCThf8uZzn87C6rqOrhPRUVuENxbYaKgfMBfwxsWektIbBvHYN yri9TX8OaPWQxFnLKlzs1ahh6LoDLG.ewmdQyB6RhNsyaOcDwKtHxC2euvXi w5SvmwNtiyC3JH70NkX4wv5IldYLSwblr4bC3mHz3zvmQSwWC5VqONc4euDy 3i6RaFGhxMfhM8RWYqIi0aQqLWrC36Mmv_3z4i_0ttXdZCLzWYm5LJWsnDao tcV0E7TjiTDKNTjiYJLAQxh_ITpgzvowBO88TKdvi9F_4aliHx15u9iDbn_L f6MKWqgnStwnJFXyUdttVdzFbyjOGNpEeeokLfiAknaWvexBypAHg9s51s9w f.5uey1IXFYOcI1JB4VLBBtRsjMr8xtBsfrX7 X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [172.16.0.150] (laszlo_danielisz@62.77.229.168 with plain) by smtp150.mail.ukl.yahoo.com with SMTP; 30 Nov 2012 05:48:14 -0800 PST Date: Fri, 30 Nov 2012 14:48:12 +0100 From: Laszlo Danielisz To: Fleuriot Damien Message-ID: <687B3117BBB54AF88DB70806673879A5@yahoo.com> In-Reply-To: References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> Subject: Re: pfctl -s rules X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 13:50:39 -0000 Thank you=21 =20 On 2012 November 30 =46riday at 2:33 PM, =46leuriot Damien wrote: > -P > =20 > Enjoy. > =20 > =20 > On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz wrote: > > Good idea, let me check. > > One more think, while pfctl -vnf /etc/pf.conf how can I list the port= numbers instead of the protocol=3F > > =20 > > ex: > > pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port= =3D ftp flags S/SA keep state > > =20 > > I want to see port =3D 21 instead of port =3D ftp =20 > > =20 > > -- =20 > > Laszlo Danielisz > > Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) > > =20 > > =20 > > On 2012 November 30 =46riday at 2:20 PM, =46leuriot Damien wrote: > > =20 > > > It likely tries to apply rules on an interface that doesn't exist y= et (for example openvpn's tun). > > > =20 > > > There's also the chance your rules contain a fully qualified domain= name, say example.com (http://example.com/) > > > P=46 tries to load its rules, DNS resolution is not up yet, =46QDN = fails to resolve to anything meaningful, rules fail to laod. > > > =20 > > > Review your rules for any non-physical interfaces (tun, gif) and do= main names. > > > =20 > > > =20 > > > On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz wrote: > > > > Thank you very much for your help=21 =20 > > > > =20 > > > > pf is loaded to the kernel: > > > > ktulu=23 kldstat=7Cgrep pf =20 > > > > 38 1 0xc4b41000 3000 pflog.ko > > > > 39 1 0xc4b44000 35000 pf.ko > > > > =20 > > > > =20 > > > > and pfctl -vnf /etc/pf.conf did work, though I don't want to past= e here the whole result :) > > > > =20 > > > > Here is the output of grep > > > > =20 > > > > ktulu=23 grep pf /etc/rc.conf =20 > > > > =23pf > > > > pf=5Fenable=3D=22YES=22 > > > > pf=5Frules=3D=22/etc/pf.conf=22 > > > > pf=5Fflags=3D=22=22 > > > > pflog=5Fenable=3D=22YES=22 > > > > pflog=5Flogfile=3D=22/var/log/pflog=22 > > > > pflog=5Fflags=3D=22=22 > > > > =20 > > > > =20 > > > > I wonder why it doesn't start on boot time=3F > > > > -- =20 > > > > Laszlo Danielisz > > > > Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) > > > > =20 > > > > =20 > > > > On 2012 November 30 =46riday at 1:40 PM, Tiago =46elipe wrote: > > > > =20 > > > > > On 11/30/2012 10:23 AM, =46leuriot Damien wrote: > > > > > > On Nov 30, 2012, at 1:20 PM, Tiago =46elipe wrote: > > > > > > =20 > > > > > > > On 11/30/2012 09:02 AM, =46leuriot Damien wrote: > > > > > > > > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz wrote: > > > > > > > > =20 > > > > > > > > > Hi Everybody, > > > > > > > > > =20 > > > > > > > > > Recently I've discover the following issues: I can't di= splay my firewalls rules, and the firewall is enabled. > > > > > > > > > Take a look what is happening: > > > > > > > > > =20 > > > > > > > > > ktulu=23 pfctl -s rules > > > > > > > > > No ALTQ support in kernel > > > > > > > > > ALTQ related functions disabled > > > > > > > > > ktulu=23 pfctl -e > > > > > > > > > No ALTQ support in kernel > > > > > > > > > ALTQ related functions disabled > > > > > > > > > pfctl: pf already enabled > > > > > > > > > =20 > > > > > > > > > ktulu=23 uname -a > > > > > > > > > =46reeBSD ktulu.danielisz.eu (http://ktulu.danielisz.eu= /) 8.3-RELEASE-p3 =46reeBSD 8.3-RELEASE-p3 =230: Mon Jun 11 23:52:38 UTC = 2012 root=40i386-builder.daemonology.net (mailto:root=40i386-builder.daem= onology.net):/usr/obj/usr/src/sys/GENERIC i386 > > > > > > > > > =20 > > > > > > > > > =20 > > > > > > > > > =20 > > > > > > > > > Do you have any idea why I can not see them=3F > > > > > > > > > =20 > > > > > > > > > Thx=21 > > > > > > > > > Laszlo > > > > > > > > > =20 > > > > > > > > =20 > > > > > > > > =20 > > > > > > > > Actually, I believe you can see your rules, all the 0 of = them. > > > > > > > > =20 > > > > > > > > Try pfctl -nf /etc/pf.conf > > > > > > > > =20 > > > > > > > > See if you have an error when loading the rules, that wou= ld explain it all. > > > > > > > > =20 > > > > > > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F > > > > > > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org= ) mailing list > > > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > > > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscrib= e=40freebsd.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > > > > > > =20 > > > > > > > =20 > > > > > > > =23 pfctl -s all > > > > > > > =20 > > > > > > > the device is loaded=3F > > > > > > > =20 > > > > > > > =23 kldload pf.ko > > > > > > > =20 > > > > > > > or recompile the kernel > > > > > > > =20 > > > > > > > device pf > > > > > > > device pflog > > > > > > > device pfsync > > > > > > > =20 > > > > > > > after that reload the rules wtih =23 pfctl -nf /etc/pf.conf= and see if change something. > > > > > > > =20 > > > > > > > sorry, my english sux. > > > > > > > =20 > > > > > > > -- =20 > > > > > > > Att, > > > > > > > Tiago =46elipe Gon=C3=A7alves. > > > > > > > Gerente de Infraestrutura de TI. > > > > > > > +55 19 99196494 > > > > > > > =20 > > > > > > =20 > > > > > > =20 > > > > > > His pfctl -si shows pf is enabled so either the module loaded= fine, or he has device pf in his kernel config. > > > > > > =20 > > > > > > I'm waiting for both his snip from /etc/rc.conf and pfctl -vn= f /etc/pf.conf ;) > > > > > > =20 > > > > > > Also note that pfctl -nf /etc/pf.conf doesn't actually load t= he rules, the -n flag makes it only parse the rules and show errors. > > > > > sorry for my failure with -n flag, i've seen mistakes on small = =20 > > > > > things,not cost check =3D=5D > > > > > but -nf will show errors, rc.conf will be useful and pfctl -s a= ll, give =20 > > > > > us a lot of info about. > > > > > =20 > > > > > -- =20 > > > > > Att, > > > > > Tiago. > > > > > =20 > > > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F > > > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org) mail= ing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscribe=40fr= eebsd.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > > > =20 > > > > =20 > > > > =20 > > > =20 > > =20 > =20 From owner-freebsd-pf@FreeBSD.ORG Sat Dec 1 07:47:02 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8959E8EC for ; Sat, 1 Dec 2012 07:47:02 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe12.ukr.net (ffe12.ukr.net [195.214.192.40]) by mx1.freebsd.org (Postfix) with ESMTP id 308788FC20 for ; Sat, 1 Dec 2012 07:47:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=1ObjkI1Bq62y4zzq63/hVg0FOtT9qCb55UGKId0W/ks=; b=aRaaJ9xGNLjRtxWgE3AY8NYwzJs/EVWBe27HSJTnT3t77195COevrL/l115QnwWRXFVDAbgNBiS/I9naZC1jG+5LFDIELTlJ7i3ZAMvYLlESE9VwKle5RObK3khob+XRDUJMDY+btUDgvz7d2hahQLN8MXpsWhRJINFSHZ1G7ms=; Received: from mail by ffe12.ukr.net with local ID 1TehYD-000Hls-1N for freebsd-pf@freebsd.org; Sat, 01 Dec 2012 09:31:49 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" Subject: Re[2]: pfctl -s rules In-Reply-To: <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> References: <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <49BF4308335C496593D1D7C82391C805@yahoo.com> <50B8A47E.8060604@yahoo.com.br> To: freebsd-pf@freebsd.org From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 Message-Id: <63585.1354347109.8822055014311788544@ffe12.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 Date: Sat, 01 Dec 2012 09:31:49 +0200 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Dec 2012 07:47:02 -0000 > It likely tries to apply rules on an interface that doesn't exist yet (for example openvpn's tun). This issue can avoid by enclose iface's name into parentheses. Like this: pass in quick on tun0 inet proto tcp from any to (tun0) port ... From owner-freebsd-pf@FreeBSD.ORG Sat Dec 1 14:27:46 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AEA4D91 for ; Sat, 1 Dec 2012 14:27:46 +0000 (UTC) (envelope-from laszlo_danielisz@yahoo.com) Received: from nm17-vm0.bullet.mail.ird.yahoo.com (nm17-vm0.bullet.mail.ird.yahoo.com [77.238.189.214]) by mx1.freebsd.org (Postfix) with ESMTP id 950468FC0C for ; Sat, 1 Dec 2012 14:27:45 +0000 (UTC) Received: from [77.238.189.231] by nm17.bullet.mail.ird.yahoo.com with NNFMP; 01 Dec 2012 14:27:38 -0000 Received: from [217.146.188.165] by tm12.bullet.mail.ird.yahoo.com with NNFMP; 01 Dec 2012 14:27:38 -0000 Received: from [127.0.0.1] by smtp133.mail.ird.yahoo.com with NNFMP; 01 Dec 2012 14:27:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1354372058; bh=XU6kSJ/iLuzbyuQeIdPXd3JmaUHl8u2ElMim8YkP1ig=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Date:From:To:Message-ID:Subject:X-Mailer:MIME-Version:Content-Type; b=WUXfvnnj1OBDADWVTQG1ifses1cEkgTz7XXmlLk691G4AX82E/VYKxtWtvxJ+OzCDl0LZgrLsCcL4wp/R9F/BLV1h9jvH7rxT0VGCFzYuYYpMhPiINOqSGN/qu8TnSOI3p7rN/dBAD6MkN2PVTodpCL3Vmh9Tr4SrneyKMrSuFE= X-Yahoo-Newman-Id: 726598.52922.bm@smtp133.mail.ird.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 8zlrZocVM1k.Y46UjbpdztxNk8tNzB7SjhVBanQ1dwzuKHy Jsm5IBPSCCXKKFdWWWgexZYZ5waa6RqcyFC1SyrhJtsbIuCn9.8U_sZo9g3X pLidmwKAPfJziqtJX.dAwogbRePzOphmQmAtaE_fU7RV4meJkS5jHhNZm5pK lfmGxlARK5lj8W6RGFQv01k8qMGpmevTB3OS4ROD..FmGr8_XRQLUcJ.O1hJ T5c7KOHRD3M6SPArhxRE2DdpDMiEScoiu26ActfvtglMEZ6oR4aXO0nI7a9S CauZgJB.uQwCcYeoBAo3lGTeAB9OFihFmU7gtNaAkxKcvUjBkrKNG6_co9_2 3HgIHBVlaKiRGmDG2RmbqG2zwgc6d.D9YToaadAsRCqR8H2EUFVHcw4euucb _HIBx0.PsRbZHxPOz35mV06JRS7TelS0g0otai7XTG8aHC0bdnJsAunLsiw8 ZEzC9cCWM.VdV6bDgnIgO6PZCVaPG4q.DuvOBRDeUuNYdnsmNUpItWPgKPiN 4swQLxEIYQNQnw3SqqlaL1ZOT8nKfnQ-- X-Yahoo-SMTP: QwgFOT2swBC9RbEk7L61j8D8oTJpwuBOkZBcLzY- Received: from [192.168.1.100] (laszlo_danielisz@89.133.21.244 with plain) by smtp133.mail.ird.yahoo.com with SMTP; 01 Dec 2012 06:27:38 -0800 PST Date: Sat, 1 Dec 2012 15:27:36 +0100 From: Laszlo Danielisz To: freebsd-pf@freebsd.org Message-ID: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> Subject: pf rules vs DHCP X-Mailer: sparrow 1.6.4 (build 1176) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Dec 2012 14:27:46 -0000 Hi Everybody, Today I just found out that my pf rules are not loaded on boot if I configure my machine's interface with DHCP, in case I go with the IP address set up on boot in rc.conf everything works properly. Has any of you met this issue before? -- Laszlo Danielisz Sent with Sparrow (http://www.sparrowmailapp.com/?sig) From owner-freebsd-pf@FreeBSD.ORG Sat Dec 1 21:29:51 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8BC447A3 for ; Sat, 1 Dec 2012 21:29:51 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) by mx1.freebsd.org (Postfix) with ESMTP id 400348FC1D for ; Sat, 1 Dec 2012 21:29:51 +0000 (UTC) Received: from [IPv6:2001:7b8:3a7:0:f19f:4a41:71ae:f9e6] (unknown [IPv6:2001:7b8:3a7:0:f19f:4a41:71ae:f9e6]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id C86225C37; Sat, 1 Dec 2012 22:29:43 +0100 (CET) Message-ID: <50BA76CE.6060604@FreeBSD.org> Date: Sat, 01 Dec 2012 22:29:50 +0100 From: Dimitry Andric Organization: The FreeBSD Project User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20121128 Thunderbird/18.0 MIME-Version: 1.0 To: Laszlo Danielisz Subject: Re: pf rules vs DHCP References: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> In-Reply-To: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Dec 2012 21:29:51 -0000 On 2012-12-01 15:27, Laszlo Danielisz wrote: > Today I just found out that my pf rules are not loaded on boot if I configure my machine's interface with DHCP, in case I go with the IP address set up on boot in rc.conf everything works properly. You forgot to attach your pf.conf. :-) From owner-freebsd-pf@FreeBSD.ORG Sat Dec 1 23:04:20 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 92DBECE1 for ; Sat, 1 Dec 2012 23:04:20 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5E4B98FC0C for ; Sat, 1 Dec 2012 23:04:20 +0000 (UTC) Received: by mail-pb0-f54.google.com with SMTP id wz12so1209868pbc.13 for ; Sat, 01 Dec 2012 15:04:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SqkZ9zcMD8PVH0jL5unoYhTAvOcqy2EtfBeh47YXg7s=; b=qwyZZJq2POAOlw3gBdRiVSknyBA+c8yqpcJgHYYiFwDRNy2ZGz2tWXFpOslcOXbQiO pk0BXdopoiM74nqX4uiFoCOjkWrz6lKPP4JLWhEt3DznbsBSUMrZBvUu419ErZorJi9f ZQYNjQ8P5gsGRU7MvlyYBWEjUW0JpQORjm45HfJ0Ltqx7sLY+dlEYkHPnEU3zslwh0AZ aNZAyQSvtbi6M1wQZKJcg9cXWY6V2XXUf4bAm/jJMO95CjeDIhUyu7NLMjxYVZr1IKoT sAOOjZwg1dEv1AQcBqG4gRMExhd785O7zmgk1iruhw8kjXiK+90ifa8X0zRCuOxpCYcL BH+Q== MIME-Version: 1.0 Received: by 10.68.225.70 with SMTP id ri6mr17301699pbc.41.1354403059675; Sat, 01 Dec 2012 15:04:19 -0800 (PST) Received: by 10.68.8.2 with HTTP; Sat, 1 Dec 2012 15:04:19 -0800 (PST) Received: by 10.68.8.2 with HTTP; Sat, 1 Dec 2012 15:04:19 -0800 (PST) In-Reply-To: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> References: <33ED1440B7AE4229B166A4CE4C131DF6@yahoo.com> Date: Sat, 1 Dec 2012 18:04:19 -0500 Message-ID: Subject: Re: pf rules vs DHCP From: Kevin Wilcox To: Laszlo Danielisz Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Dec 2012 23:04:20 -0000 On Dec 1, 2012 3:55 PM, "Laszlo Danielisz" wrote: > > Hi Everybody, > > Today I just found out that my pf rules are not loaded on boot if I configure my machine's interface with DHCP If you use your interface in your rules, for example, pass in on em0 then you can tell pf to adapt to a changing IP on that interface with pass in on (em0) This works for interfaces with DHCP-provided addresses but introduces some ambiguity. kmw