Date: Fri, 30 Nov 2012 14:33:34 +0100 From: Fleuriot Damien <ml@my.gd> To: Laszlo Danielisz <laszlo_danielisz@yahoo.com> Cc: freebsd-pf@freebsd.org Subject: Re: pfctl -s rules Message-ID: <D6CB4D50-A7E1-443B-A856-2FA755C835D1@my.gd> In-Reply-To: <DEC30EB90D47450BABAC296B4C2C11E9@yahoo.com> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <FE4E0127-F5A8-49C4-9BE3-814DAC35329A@my.gd> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> <DEC30EB90D47450BABAC296B4C2C11E9@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-P Enjoy. On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz = <laszlo_danielisz@yahoo.com> wrote: > Good idea, let me check. > One more think, while pfctl -vnf /etc/pf.conf how can I list the port = numbers instead of the protocol? >=20 > ex: > pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port = =3D ftp flags S/SA keep state >=20 > I want to see port =3D 21 instead of port =3D ftp >=20 > --=20 > Laszlo Danielisz > Sent with Sparrow >=20 > On 2012 November 30 Friday at 2:20 PM, Fleuriot Damien wrote: >=20 >> It likely tries to apply rules on an interface that doesn't exist yet = (for example openvpn's tun). >>=20 >> There's also the chance your rules contain a fully qualified domain = name, say example.com >> PF tries to load its rules, DNS resolution is not up yet, FQDN fails = to resolve to anything meaningful, rules fail to laod. >>=20 >> Review your rules for any non-physical interfaces (tun, gif) and = domain names. >>=20 >>=20 >> On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz = <laszlo_danielisz@yahoo.com> wrote: >>=20 >>> Thank you very much for your help! >>>=20 >>> pf is loaded to the kernel: >>> ktulu# kldstat|grep pf =20 >>> 38 1 0xc4b41000 3000 pflog.ko >>> 39 1 0xc4b44000 35000 pf.ko >>>=20 >>> and pfctl -vnf /etc/pf.conf did work, though I don't want to paste = here the whole result :) >>>=20 >>> Here is the output of grep >>>=20 >>> ktulu# grep pf /etc/rc.conf =20 >>> #pf >>> pf_enable=3D"YES" >>> pf_rules=3D"/etc/pf.conf" >>> pf_flags=3D"" >>> pflog_enable=3D"YES" >>> pflog_logfile=3D"/var/log/pflog" >>> pflog_flags=3D"" >>>=20 >>> I wonder why it doesn't start on boot time? >>> --=20 >>> Laszlo Danielisz >>> Sent with Sparrow >>>=20 >>> On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote: >>>=20 >>>> On 11/30/2012 10:23 AM, Fleuriot Damien wrote: >>>>> On Nov 30, 2012, at 1:20 PM, Tiago = Felipe<tfgoncalves@yahoo.com.br> wrote: >>>>>=20 >>>>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote: >>>>>>> On Nov 30, 2012, at 12:00 PM, Laszlo = Danielisz<laszlo_danielisz@yahoo.com> wrote: >>>>>>>=20 >>>>>>>> Hi Everybody, >>>>>>>>=20 >>>>>>>> Recently I've discover the following issues: I can't display my = firewalls rules, and the firewall is enabled. >>>>>>>> Take a look what is happening: >>>>>>>>=20 >>>>>>>> ktulu# pfctl -s rules >>>>>>>> No ALTQ support in kernel >>>>>>>> ALTQ related functions disabled >>>>>>>> ktulu# pfctl -e >>>>>>>> No ALTQ support in kernel >>>>>>>> ALTQ related functions disabled >>>>>>>> pfctl: pf already enabled >>>>>>>>=20 >>>>>>>> ktulu# uname -a >>>>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD = 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 = root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>> Do you have any idea why I can not see them? >>>>>>>>=20 >>>>>>>> Thx! >>>>>>>> Laszlo >>>>>>>=20 >>>>>>> Actually, I believe you can see your rules, all the 0 of them. >>>>>>>=20 >>>>>>> Try pfctl -nf /etc/pf.conf >>>>>>>=20 >>>>>>> See if you have an error when loading the rules, that would = explain it all. >>>>>>>=20 >>>>>>> _______________________________________________ >>>>>>> freebsd-pf@freebsd.org mailing list >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>>>> # pfctl -s all >>>>>>=20 >>>>>> the device is loaded? >>>>>>=20 >>>>>> # kldload pf.ko >>>>>>=20 >>>>>> or recompile the kernel >>>>>>=20 >>>>>> device pf >>>>>> device pflog >>>>>> device pfsync >>>>>>=20 >>>>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see = if change something. >>>>>>=20 >>>>>> sorry, my english sux. >>>>>>=20 >>>>>> -- >>>>>> Att, >>>>>> Tiago Felipe Gon=E7alves. >>>>>> Gerente de Infraestrutura de TI. >>>>>> +55 19 99196494 >>>>>=20 >>>>> His pfctl -si shows pf is enabled so either the module loaded = fine, or he has device pf in his kernel config. >>>>>=20 >>>>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf = /etc/pf.conf ;) >>>>>=20 >>>>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the = rules, the -n flag makes it only parse the rules and show errors. >>>> sorry for my failure with -n flag, i've seen mistakes on small >>>> things,not cost check =3D] >>>> but -nf will show errors, rc.conf will be useful and pfctl -s all, = give >>>> us a lot of info about. >>>>=20 >>>> -- >>>> Att, >>>> Tiago. >>>>=20 >>>> _______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to = "freebsd-pf-unsubscribe@freebsd.org" >>>=20 >>=20 >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D6CB4D50-A7E1-443B-A856-2FA755C835D1>