From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 09:13:44 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 99A8A463 for ; Mon, 3 Nov 2014 09:13:44 +0000 (UTC) Received: from smtp.po.exetel.com.au (pecan2-mail.exetel.com.au [220.233.0.71]) by mx1.freebsd.org (Postfix) with ESMTP id 55877145 for ; Mon, 3 Nov 2014 09:13:43 +0000 (UTC) Received: from phasia.kd.net.au ([115.70.76.27]) by smtp.po.exetel.com.au with esmtp (Exim 4.80) (envelope-from ) id 1XlDhn-0005EV-0d for freebsd-pf@freebsd.org; Mon, 03 Nov 2014 20:13:43 +1100 Received: from aneurin.horsfall.org (unknown [120.146.8.15]) by dermis.kd (Postfix) with ESMTP id 44996CD2E for ; Mon, 3 Nov 2014 20:14:55 +1100 (EST) Received: from aneurin.horsfall.org (localhost [127.0.0.1]) by aneurin.horsfall.org (8.14.4/8.14.4) with ESMTP id sA39D4Gj006607 for ; Mon, 3 Nov 2014 20:13:05 +1100 (EST) (envelope-from dave@horsfall.org) Received: from localhost (dave@localhost) by aneurin.horsfall.org (8.14.4/8.14.4/Submit) with ESMTP id sA39D4Ru006604 for ; Mon, 3 Nov 2014 20:13:04 +1100 (EST) (envelope-from dave@horsfall.org) X-Authentication-Warning: aneurin.horsfall.org: dave owned process doing -bs Date: Mon, 3 Nov 2014 20:13:04 +1100 (EST) From: Dave Horsfall To: FreeBSD PF List Subject: Re: Getting tables to work in PF In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-Witty-Saying: "chmod 666 the_mode_of_the_beast" MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 09:13:44 -0000 On Mon, 3 Nov 2014, Ermal Luçi wrote: > Probably you forgot to clear the states! I was under the impression that "state" applied to "keep state" i.e. outgoing connections. Nonetheless: aneurin# pfctl -s state No ALTQ support in kernel ALTQ related functions disabled aneurin# pfctl -F s No ALTQ support in kernel ALTQ related functions disabled 0 states cleared aneurin# Still not blocking, and still not logging any such blocks. Got a working example that I can use? Do remember that I even blocked all incoming SMTP as a test, hence my question as to whether PF was actually working here. Also don't forget my other observation that wasn't created until I did so by hand. -- Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." http://www.horsfall.org/spam.html (and check the home page whilst you're there) From owner-freebsd-pf@FreeBSD.ORG Mon Nov 3 10:04:05 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8F1AA726 for ; Mon, 3 Nov 2014 10:04:05 +0000 (UTC) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63498893 for ; Mon, 3 Nov 2014 10:04:05 +0000 (UTC) Received: by mail-pa0-f43.google.com with SMTP id eu11so11875302pac.16 for ; Mon, 03 Nov 2014 02:04:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=6U/inz7tPOyj1UCgaESgFUWdxJPM1AIliwOIwd9+9vk=; b=vY4HcoNv1AU7Gy/OdnaDmSU2howTiMXFKkG+4D3d+id+MpKz5+dcpy9IDAHZiWuSjI aOXh6js4Wwi4VIPJSZv10ZnWfEC90mTBlDe9Oh6cp2zFeigCxpMXcT337bvmzDswIOuZ nxUuTmPmJulWQyg34XDWVRflzPBd50lIBMVYHPamJfqsfhqx1N15OWVZ+uqQhclJtkXd Jj1Bp5WTG+u04FkUNSkTX0T6kjHCKhTzEBQFYo3A8IKFH6bq8Pn8ODHB3qFHRa1fD2Nw /nRX0JD704U3SBCNW0R68I8ySjHG8BfSxKbY8GbamW07QDcGwmZJD4Kq5RNQGoLHY+Qk wRpw== MIME-Version: 1.0 X-Received: by 10.66.253.102 with SMTP id zz6mr41436753pac.25.1415009044977; Mon, 03 Nov 2014 02:04:04 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.70.73.2 with HTTP; Mon, 3 Nov 2014 02:04:04 -0800 (PST) In-Reply-To: References: Date: Mon, 3 Nov 2014 11:04:04 +0100 X-Google-Sender-Auth: ulSYNjI1Rfoci20cF3kZdXF3TCU Message-ID: Subject: Re: Getting tables to work in PF From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Dave Horsfall Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD PF List X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2014 10:04:05 -0000 On Mon, Nov 3, 2014 at 10:13 AM, Dave Horsfall wrote: > On Mon, 3 Nov 2014, Ermal Lu=C3=A7i wrote: > > > Probably you forgot to clear the states! > > I was under the impression that "state" applied to "keep state" i.e. > outgoing connections. > > Nonetheless: > > aneurin# pfctl -s state > No ALTQ support in kernel > ALTQ related functions disabled > aneurin# pfctl -F s > No ALTQ support in kernel > ALTQ related functions disabled > 0 states cleared > aneurin# > Well there are two things needed from your side: - Full ruleset if you can disclose - Make sure with output of pfctl -s all that pf is actually enabled to do filtering on packets. NOTE: You enable pf by running pfctl -e > > Still not blocking, and still not logging any such blocks. Got a working > example that I can use? > > Do remember that I even blocked all incoming SMTP as a test, hence my > question as to whether PF was actually working here. > > Also don't forget my other observation that wasn't created > until I did so by hand. > > -- > Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server." > http://www.horsfall.org/spam.html (and check the home page whilst you're > there) > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal