From owner-freebsd-pf@FreeBSD.ORG  Mon Dec 15 10:56:08 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 62CF9378
 for <freebsd-pf@freebsd.org>; Mon, 15 Dec 2014 10:56:08 +0000 (UTC)
Received: from nm37-vm2.bullet.mail.bf1.yahoo.com
 (nm37-vm2.bullet.mail.bf1.yahoo.com [72.30.238.202])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E6FC3AC9
 for <freebsd-pf@freebsd.org>; Mon, 15 Dec 2014 10:56:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1418640959; bh=Il5738Klg9O50pobLcMUuroAPep5Az0MUn06bWyaLoo=;
 h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject;
 b=sVu8+uiJDOVbpBMKoZ0JXH49HgLgA1WQqHz1KPnXaGQZgkw5Ko87bhQGxStfuHIfm0KljhLHagX979aO3Ecc88X3V2+bpbMqd+tad6l4t2sP9JdUXlyNNud5dc+K3lk/2fvQVdE6bw39tLiEp5Og+BjtQhT4p5iPY/FQKcQcXlwIVTat17I1MOMR8mcCxJEuYqD/HTKRkyhQbZ7fvBce7yjPm3fLCJtaqPyUYxlF0xyH50DP97XpzgU3dOcgUN9BXhIHkvGOiTteZksd1ilXpRNjWeYRG2/T2dOa7Et8MBkfZpxXwpcOmaA2Vn87koG+8pZPyPzHA2sSKxmYNAZmcA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com;
 b=G3gkNdiNqKRhTuy8uY2Nry94KC0qpTIeYJ38gk98F6N0edhyq3c5QZ3pPttU88W1q069+q6cVdW6gLHTpPmSy0FBmxbaUnZpjUwzGDr4VqRj/6aNPuEPsvP7F0LAgyoZrnmJRvDju2SX03NFwtbUchLA8F/vxTRAuKwQ/v6xs42sSdiKhy/iL7xaid8tsIJHsIvkIVErB7nxoMfNzwvscbYqJwDIwjzkw8BLJRd4GXEgMFDpDpLCtpVLnrbGW11ahFd8Qi+0pUgqNSek0oiBVPl8ts0q7kk2a2O6bzGpvifSw39PXIe0D+wRZ6GTJVVr7m6GdP/eaFH5fcVT9iUbFQ==;
Received: from [66.196.81.174] by nm37.bullet.mail.bf1.yahoo.com with NNFMP;
 15 Dec 2014 10:55:59 -0000
Received: from [98.139.215.248] by tm20.bullet.mail.bf1.yahoo.com with NNFMP;
 15 Dec 2014 10:55:59 -0000
Received: from [127.0.0.1] by omp1061.mail.bf1.yahoo.com with NNFMP;
 15 Dec 2014 10:55:59 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 516961.15250.bm@omp1061.mail.bf1.yahoo.com
X-YMail-OSG: abunZaEVM1kwjJIGvxLi1d0YIZogVRrpRYjxp78zfU6wIx7e.zKAHHFwHfc7F9g
 WjTjgc9QZkCjas5j5oWOaD9lQNML.xeAMd7CwhPESV70D_z4DHQtmUID8mHYp2IBbbX49oiS3acA
 jja.MwLNfZMTODjtpAAu3eKLSIRvdSYBbZ8whXPSbvqw.aAiKre9PxAzQ5O_T0unR7Qf1mYuSa8e
 ps4WpPg5SOA002YFMaPB6G0Laze.ImYH7cHHSX0WaicTBo_heH57AsyFQa9Bfp_RgTcAt1pNQnPA
 TmLsEIV1tjbBe7xmumui0jTBbce8zIMsK7iNkA63ESnPY_jrP4yj3JRuj55TLERndfdI9AeQhZ2Q
 HBYICfi5nuYg_icCroFQYUGLsMy_qpVJZagdgoRcoq_EbV.H_C0wu_fYPsQR2FptMZ5rxbNOWlE4
 WNIwy3IOe958Qa9QzB66qkdWMXj8aRvktWwgBUnrrr5ncxJTxW1HWykhfthl6gO46kpvNIKwGWHZ
 QikNvFWAIzda1um0-
Received: by 76.13.26.159; Mon, 15 Dec 2014 10:55:59 +0000 
Date: Mon, 15 Dec 2014 10:55:58 +0000 (UTC)
From: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
Reply-To: Laszlo Danielisz <laszlo.danielisz@yahoo.com>
To: =?UTF-8?Q?Ask_Bj=C3=B8rn_Hansen?= <ask@develooper.com>, 
 "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Message-ID: <2145096021.191695.1418640958794.JavaMail.yahoo@jws106147.mail.bf1.yahoo.com>
In-Reply-To: <EE9008FF-6507-4796-B251-F599A04DAA10@develooper.com>
References: <28FA3DD9-0B7D-4C41-831D-D12DCB4BAB69@develooper.com>
 <EE9008FF-6507-4796-B251-F599A04DAA10@develooper.com>
Subject: Re: pfctl: DIOCADDRULE: Operation not supported by device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 10:56:08 -0000

Hi,
What do you mean be "clean rc.conf"?I'm facing this issue as well:=C2=A0pfc=
tl: DIOCGETRULES: Permission denied=C2=A0using 10.1-RELEASE
Thank you!
=20

     On Thursday, November 24, 2011 9:16 AM, Ask Bj=C3=B8rn Hansen <ask@dev=
elooper.com> wrote:
  =20

=20
On Nov 23, 2011, at 17:02, Ask Bj=C3=B8rn Hansen wrote:

> Hi everyone,
>=20
> After upgrading to 9.0 my NanoBSD images stopped supporting pf.=C2=A0 I g=
et errors like:
>=20
> pfctl: DIOCGETRULES: Permission denied
> pfctl: DIOCADDRULE: Operation not supported by device


Hmpfr - booting with a clean rc.conf (and a slightly newer build) it works =
fine.=C2=A0 I wonder if my /usr/src was out of date in some spectacular way=
 when I made the first build.


Ask_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

   
From owner-freebsd-pf@FreeBSD.ORG  Tue Dec 16 13:10:38 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 768C89A2
 for <freebsd-pf@freebsd.org>; Tue, 16 Dec 2014 13:10:38 +0000 (UTC)
Received: from pi.nmdps.net (pi.nmdps.net [IPv6:2a01:be00:10:201:0:80:0:1])
 by mx1.freebsd.org (Postfix) with ESMTP id 3CF981ECA
 for <freebsd-pf@freebsd.org>; Tue, 16 Dec 2014 13:10:37 +0000 (UTC)
Received: from pi.nmdps.net (pi.nmdps.net [109.61.102.5])
 (Authenticated sender: krichy@cflinux.hu)
 by pi.nmdps.net (Postfix) with ESMTPSA id 7C51E17DA
 for <freebsd-pf@freebsd.org>; Tue, 16 Dec 2014 14:10:28 +0100 (CET)
Date: Tue, 16 Dec 2014 14:10:28 +0100 (CET)
From: Richard Kojedzinszky <krichy@cflinux.hu>
X-X-Sender: krichy@pi.nmdps.net
To: freebsd-pf@freebsd.org
Subject: synproxy on out rule
Message-ID: <alpine.BSF.2.00.1412161407270.92974@pi.nmdps.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 13:10:38 -0000

Dear pf gurus,

I am going to setup a redundant pf+carp setup as described, and found that 
with my simple pf.conf the tcp sessions are not proxied well with pf. I am 
using bsd router project, which is freebsd based. My simple pf.conf:

---
scrub all

set skip on {lo0, re0}

#pass in quick on { re0 }

pass out quick proto {icmp, icmp6, ospf}

pass quick on { re2 } keep state (no-sync)

pass quick on { re1 } proto carp keep state (no-sync)

anchor out quick on { re1 } {
     pass quick proto tcp from any to any port {22, 5001} synproxy state
     block drop log
}
---

If i reorder the rules so that the synproxy state line matches on an "in" 
rule, proxying works, but for me it seems with "out" rules it does not.

Or I do something wrong.

It is 10.1-RELEASE.

Any advice?

Kojedzinszky Richard