Re: Big problems with PF on freeBSD 6.2
Tim T Bos wrote: Hi Erik, I used a GENERIC kernel as well as a custom kernel. Both have the same behavior. I even tried a default install without any extra boot options. ON FreeBSD 5.5 i didn't have this problem. I'm going to try to log all actions. I must do something seriously wrong. I think it is probably just a typo that you've got blind to. I suggest you stick with the GENERIC kernel until you have things figured out, that way we all know what you're talking about. There should be no loading of pf related modules in your loader.conf, in rc.conf you should have: # Packet Filter pf_enable=YES pf_rules=/etc/pf.conf pflog_enable=YES pflog_logfile=/var/log/pflog You should not have any of the firewall_ options set, these applies to ipfw. Then make a simple rule set: # Default action (this rule will never match) block log all # Your pass rules goes here # Catch up anything that falls through here: block log quick all The last rule is obviously not needed, but I like to have it just in case there is something I missed. Do # tcpdump -n -e -ttt -i pflog0 To watch live what happens (make sure that pflog is up and running). Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Big problems with PF on freeBSD 6.2
Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule block all or block all on ext_if I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. I have this problem since i chanced from ISP. Can you please help me out because i love to use my BSD box again... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Big problems with PF on freeBSD 6.2
Tim T Bos wrote: Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule block all or block all on ext_if I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. you mean as well :) Do you use a GENERIC kernel? If you have a custom kernel or try to set special options for pf post those options. Also, post any boot options that toggle pf behaviour. The default behaviour of pf is pass all, I don't remember if there is a boot option or similar to change this. But anyway, I think it is better to go with the default and set your desired default action explicitly as the first rule in your rule set. Try a GENERIC kernel and see if packets are blocked correctly by a block log all rule. In any case, you should add log to your rules for debugging, so you can see if ruleset is matched and where packets are blocked or passed. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Big problems with PF on freeBSD 6.2
Hi Erik, I used a GENERIC kernel as well as a custom kernel. Both have the same behavior. I even tried a default install without any extra boot options. ON FreeBSD 5.5 i didn't have this problem. I'm going to try to log all actions. I must do something seriously wrong. Thanks anyway Erik Norgaard wrote: Tim T Bos wrote: Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule block all or block all on ext_if I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. you mean as well :) Do you use a GENERIC kernel? If you have a custom kernel or try to set special options for pf post those options. Also, post any boot options that toggle pf behaviour. The default behaviour of pf is pass all, I don't remember if there is a boot option or similar to change this. But anyway, I think it is better to go with the default and set your desired default action explicitly as the first rule in your rule set. Try a GENERIC kernel and see if packets are blocked correctly by a block log all rule. In any case, you should add log to your rules for debugging, so you can see if ruleset is matched and where packets are blocked or passed. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]