Date: Fri, 30 Nov 2012 14:48:12 +0100 From: Laszlo Danielisz <laszlo_danielisz@yahoo.com> To: Fleuriot Damien <ml@my.gd> Cc: freebsd-pf@freebsd.org Subject: Re: pfctl -s rules Message-ID: <687B3117BBB54AF88DB70806673879A5@yahoo.com> In-Reply-To: <D6CB4D50-A7E1-443B-A856-2FA755C835D1@my.gd> References: <49BF4308335C496593D1D7C82391C805@yahoo.com> <FE4E0127-F5A8-49C4-9BE3-814DAC35329A@my.gd> <50B8A47E.8060604@yahoo.com.br> <9A9FCC5B-CAB2-4EF6-A0FD-2356D9997658@my.gd> <50B8A92C.5090500@yahoo.com.br> <983A61AAA3A744F78601A2488F54CF85@yahoo.com> <02387299-5EC3-47B7-B1CA-27F36A947D85@my.gd> <DEC30EB90D47450BABAC296B4C2C11E9@yahoo.com> <D6CB4D50-A7E1-443B-A856-2FA755C835D1@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you=21 =20 On 2012 November 30 =46riday at 2:33 PM, =46leuriot Damien wrote: > -P > =20 > Enjoy. > =20 > =20 > On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz <laszlo=5Fdanielisz=40yah= oo.com (mailto:laszlo=5Fdanielisz=40yahoo.com)> wrote: > > Good idea, let me check. > > One more think, while pfctl -vnf /etc/pf.conf how can I list the port= numbers instead of the protocol=3F > > =20 > > ex: > > pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port= =3D ftp flags S/SA keep state > > =20 > > I want to see port =3D 21 instead of port =3D ftp =20 > > =20 > > -- =20 > > Laszlo Danielisz > > Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) > > =20 > > =20 > > On 2012 November 30 =46riday at 2:20 PM, =46leuriot Damien wrote: > > =20 > > > It likely tries to apply rules on an interface that doesn't exist y= et (for example openvpn's tun). > > > =20 > > > There's also the chance your rules contain a fully qualified domain= name, say example.com (http://example.com/) > > > P=46 tries to load its rules, DNS resolution is not up yet, =46QDN = fails to resolve to anything meaningful, rules fail to laod. > > > =20 > > > Review your rules for any non-physical interfaces (tun, gif) and do= main names. > > > =20 > > > =20 > > > On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz <laszlo=5Fdanielisz=40= yahoo.com (mailto:laszlo=5Fdanielisz=40yahoo.com)> wrote: > > > > Thank you very much for your help=21 =20 > > > > =20 > > > > pf is loaded to the kernel: > > > > ktulu=23 kldstat=7Cgrep pf =20 > > > > 38 1 0xc4b41000 3000 pflog.ko > > > > 39 1 0xc4b44000 35000 pf.ko > > > > =20 > > > > =20 > > > > and pfctl -vnf /etc/pf.conf did work, though I don't want to past= e here the whole result :) > > > > =20 > > > > Here is the output of grep > > > > =20 > > > > ktulu=23 grep pf /etc/rc.conf =20 > > > > =23pf > > > > pf=5Fenable=3D=22YES=22 > > > > pf=5Frules=3D=22/etc/pf.conf=22 > > > > pf=5Fflags=3D=22=22 > > > > pflog=5Fenable=3D=22YES=22 > > > > pflog=5Flogfile=3D=22/var/log/pflog=22 > > > > pflog=5Fflags=3D=22=22 > > > > =20 > > > > =20 > > > > I wonder why it doesn't start on boot time=3F > > > > -- =20 > > > > Laszlo Danielisz > > > > Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) > > > > =20 > > > > =20 > > > > On 2012 November 30 =46riday at 1:40 PM, Tiago =46elipe wrote: > > > > =20 > > > > > On 11/30/2012 10:23 AM, =46leuriot Damien wrote: > > > > > > On Nov 30, 2012, at 1:20 PM, Tiago =46elipe<tfgoncalves=40yah= oo.com.br (mailto:tfgoncalves=40yahoo.com.br)> wrote: > > > > > > =20 > > > > > > > On 11/30/2012 09:02 AM, =46leuriot Damien wrote: > > > > > > > > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz<laszlo=5Fd= anielisz=40yahoo.com (mailto:laszlo=5Fdanielisz=40yahoo.com)> wrote: > > > > > > > > =20 > > > > > > > > > Hi Everybody, > > > > > > > > > =20 > > > > > > > > > Recently I've discover the following issues: I can't di= splay my firewalls rules, and the firewall is enabled. > > > > > > > > > Take a look what is happening: > > > > > > > > > =20 > > > > > > > > > ktulu=23 pfctl -s rules > > > > > > > > > No ALTQ support in kernel > > > > > > > > > ALTQ related functions disabled > > > > > > > > > ktulu=23 pfctl -e > > > > > > > > > No ALTQ support in kernel > > > > > > > > > ALTQ related functions disabled > > > > > > > > > pfctl: pf already enabled > > > > > > > > > =20 > > > > > > > > > ktulu=23 uname -a > > > > > > > > > =46reeBSD ktulu.danielisz.eu (http://ktulu.danielisz.eu= /) 8.3-RELEASE-p3 =46reeBSD 8.3-RELEASE-p3 =230: Mon Jun 11 23:52:38 UTC = 2012 root=40i386-builder.daemonology.net (mailto:root=40i386-builder.daem= onology.net):/usr/obj/usr/src/sys/GENERIC i386 > > > > > > > > > =20 > > > > > > > > > =20 > > > > > > > > > =20 > > > > > > > > > Do you have any idea why I can not see them=3F > > > > > > > > > =20 > > > > > > > > > Thx=21 > > > > > > > > > Laszlo > > > > > > > > > =20 > > > > > > > > =20 > > > > > > > > =20 > > > > > > > > Actually, I believe you can see your rules, all the 0 of = them. > > > > > > > > =20 > > > > > > > > Try pfctl -nf /etc/pf.conf > > > > > > > > =20 > > > > > > > > See if you have an error when loading the rules, that wou= ld explain it all. > > > > > > > > =20 > > > > > > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F > > > > > > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org= ) mailing list > > > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > > > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscrib= e=40freebsd.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > > > > > > =20 > > > > > > > =20 > > > > > > > =23 pfctl -s all > > > > > > > =20 > > > > > > > the device is loaded=3F > > > > > > > =20 > > > > > > > =23 kldload pf.ko > > > > > > > =20 > > > > > > > or recompile the kernel > > > > > > > =20 > > > > > > > device pf > > > > > > > device pflog > > > > > > > device pfsync > > > > > > > =20 > > > > > > > after that reload the rules wtih =23 pfctl -nf /etc/pf.conf= and see if change something. > > > > > > > =20 > > > > > > > sorry, my english sux. > > > > > > > =20 > > > > > > > -- =20 > > > > > > > Att, > > > > > > > Tiago =46elipe Gon=C3=A7alves. > > > > > > > Gerente de Infraestrutura de TI. > > > > > > > +55 19 99196494 > > > > > > > =20 > > > > > > =20 > > > > > > =20 > > > > > > His pfctl -si shows pf is enabled so either the module loaded= fine, or he has device pf in his kernel config. > > > > > > =20 > > > > > > I'm waiting for both his snip from /etc/rc.conf and pfctl -vn= f /etc/pf.conf ;) > > > > > > =20 > > > > > > Also note that pfctl -nf /etc/pf.conf doesn't actually load t= he rules, the -n flag makes it only parse the rules and show errors. > > > > > sorry for my failure with -n flag, i've seen mistakes on small = =20 > > > > > things,not cost check =3D=5D > > > > > but -nf will show errors, rc.conf will be useful and pfctl -s a= ll, give =20 > > > > > us a lot of info about. > > > > > =20 > > > > > -- =20 > > > > > Att, > > > > > Tiago. > > > > > =20 > > > > > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F > > > > > freebsd-pf=40freebsd.org (mailto:freebsd-pf=40freebsd.org) mail= ing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > > > > To unsubscribe, send any mail to =22freebsd-pf-unsubscribe=40fr= eebsd.org (mailto:freebsd-pf-unsubscribe=40freebsd.org)=22 > > > > > =20 > > > > =20 > > > > =20 > > > =20 > > =20 > =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?687B3117BBB54AF88DB70806673879A5>