Re: Big problems with PF on freeBSD 6.2

2007-02-11 Thread Erik Norgaard

Tim T Bos wrote:

Hi Erik,

I used a GENERIC kernel as well as a custom kernel.
Both have the same behavior.

I even tried a default install without any extra boot options.

ON FreeBSD 5.5 i didn't have this problem.

I'm going to try to log all actions.

I must do something seriously wrong.


I think it is probably just a typo that you've got blind to.

I suggest you stick with the GENERIC kernel until you have things 
figured out, that way we all know what you're talking about. There 
should be no loading of pf related modules in your loader.conf, in 
rc.conf you should have:


# Packet Filter
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

You should not have any of the firewall_ options set, these applies to ipfw.

Then make a simple rule set:

# Default action (this rule will never match)
block log all
# Your pass rules goes here

# Catch up anything that falls through here:
block log quick all

The last rule is obviously not needed, but I like to have it just in 
case there is something I missed.


Do

# tcpdump -n -e -ttt -i pflog0

To watch live what happens (make sure that pflog is up and running).

Cheers, Erik
--
Ph: +34.666334818  web: http://www.locolomo.org


smime.p7s
Description: S/MIME Cryptographic Signature


Re: Big problems with PF on freeBSD 6.2

2007-02-10 Thread Tim T Bos
Hi Erik,

I used a GENERIC kernel as well as a custom kernel.
Both have the same behavior.

I even tried a default install without any extra boot options.

ON FreeBSD 5.5 i didn't have this problem.

I'm going to try to log all actions.

I must do something seriously wrong.

Thanks anyway

Erik Norgaard wrote:
> Tim T Bos wrote:
>> Hi Guys,
>>
>> I have a problem with PF.  Normally when I load pf.ko it uses deny all
>> as default.
>> But if i compile it in the kernel or load it as a module both it
>> won't work.
>> If a have only one rule "block all" or "block all on ext_if" I can still
>> go on the internet and if I portscan my computer i get most ports closed
>> and some by my isp filtered ports (137 139 and some onher MS ports).
>>
>> I tried a clean install of freebsd 6.2 with the latest  stable source
>> ass well.
>
> you mean "as well" :)
>
> Do you use a GENERIC kernel? If you have a custom kernel or try to set
> special options for pf post those options. Also, post any boot options
> that toggle pf behaviour.
>
> The default behaviour of pf is "pass all", I don't remember if there
> is a boot option or similar to change this.
>
> But anyway, I think it is better to go with the default and set your
> desired default action explicitly as the first rule in your rule set.
> Try a GENERIC kernel and see if packets are blocked correctly by a
> "block log all" rule.
>
> In any case, you should add "log" to your rules for debugging, so you
> can see if ruleset is matched and where packets are blocked or passed.
>
> Cheers, Erik
>


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Big problems with PF on freeBSD 6.2

2007-02-10 Thread Erik Norgaard

Tim T Bos wrote:

Hi Guys,

I have a problem with PF.  Normally when I load pf.ko it uses deny all
as default.
But if i compile it in the kernel or load it as a module both it won't work.
If a have only one rule "block all" or "block all on ext_if" I can still
go on the internet and if I portscan my computer i get most ports closed
and some by my isp filtered ports (137 139 and some onher MS ports).

I tried a clean install of freebsd 6.2 with the latest  stable source
ass well.


you mean "as well" :)

Do you use a GENERIC kernel? If you have a custom kernel or try to set 
special options for pf post those options. Also, post any boot options 
that toggle pf behaviour.


The default behaviour of pf is "pass all", I don't remember if there is 
a boot option or similar to change this.


But anyway, I think it is better to go with the default and set your 
desired default action explicitly as the first rule in your rule set. 
Try a GENERIC kernel and see if packets are blocked correctly by a 
"block log all" rule.


In any case, you should add "log" to your rules for debugging, so you 
can see if ruleset is matched and where packets are blocked or passed.


Cheers, Erik

--
Ph: +34.666334818  web: http://www.locolomo.org


smime.p7s
Description: S/MIME Cryptographic Signature


Big problems with PF on freeBSD 6.2

2007-02-10 Thread Tim T Bos
Hi Guys,

I have a problem with PF.  Normally when I load pf.ko it uses deny all
as default.
But if i compile it in the kernel or load it as a module both it won't work.
If a have only one rule "block all" or "block all on ext_if" I can still
go on the internet and if I portscan my computer i get most ports closed
and some by my isp filtered ports (137 139 and some onher MS ports).

I tried a clean install of freebsd 6.2 with the latest  stable source
ass well.

I have this problem since i chanced from ISP.

Can you please help me out because i love to use my BSD box again...


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: problems with pf

2005-04-22 Thread Luke Dean

Parse your rules without actually loading them:
pfctl -n -f /etc/pf.conf
Flush the old rules and load the new ones without rebooting:
pfctl -F -f /etc/pf.conf
Gah!  I knew that didn't look right...
pfctl -F all -f /etc/pf.conf
Or check out "man pfctl" for other options.
Both are must-haves for tinkering with pf.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: problems with pf

2005-04-22 Thread Luke Dean

I have read the manpage on pf but I am still stumped.  I get some error 
messages when starting up that say something like 'rule expands to no 
possible valid combination' or something to that effect.  If someone can tell 
me how I can find out what the error messages are when I boot I will post 
them.
Parse your rules without actually loading them:
pfctl -n -f /etc/pf.conf
Flush the old rules and load the new ones without rebooting:
pfctl -F -f /etc/pf.conf
Both are must-haves for tinkering with pf.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


problems with pf

2005-04-22 Thread Brian John
Hello,
I have read the manpage on pf but I am still stumped.  I get some error 
messages when starting up that say something like 'rule expands to no 
possible valid combination' or something to that effect.  If someone can 
tell me how I can find out what the error messages are when I boot I 
will post them.

Here is my pf.conf:
ext_if="vr0"

altq on $ext_if cbq bandwidth 2Mb queue { web , p2p , ssh }
queue web bandwidth 40% priority 6 cbq(borrow)
queue ssh bandwidth 40% priority 6 cbq(borrow)
queue p2p bandwidth 20% cbq(borrow default)

pass in on $ext_if all
pass in on $ext_if from any to any port 22 queue(ssh)
pass in on $ext_if from any to any port 80 queue(web)
pass out on $ext_if all
pass out on $ext_if from any to any port 22 queue(ssh)
pass out on $ext_if from any to any port 80 queue(web)
Can someone please tell me what is wrong with my syntax?
Thanks!
/Brian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: problems with PF

2004-07-29 Thread Max Laier
On Thursday 29 July 2004 22:57, RJ45 wrote:
> hello,
> I configured PF for natting machines on my LAN
> using FreeBSD as ADSL gateway.
>
> I just write a simple rule
> nat on tun0 from 172.16.16.0/24 to any -> (tun0)
^^

> but NAT does not work, packets are blocked.
>
> ip forwarding is enabled
>
> using ipfilter works and packets are natted succesfully with a simple rule
> the same as before:
>
> map tun0 172.16.16.0/24 -> tun0/32
>
>
> I am using PF on OpenBSD since the first time it was released
> so I Am sure it is not a problem of my configuration (After all more
> than very simple)
> using PF on FreeBSD I noticed simply packets are not NATted.

Well they are, but to a wrong address or no address at all, depending on the 
state of tun0 upon loading the ruleset.

> I have to say I am using it on sparc64 FreeBSD 5.2.1 on ultra 60.
>
> anyone has some hints ?

Have you applied the dynamic address patches?
# cd /usr/ports/security/pf && make extract && cd work/pf_freebsd_2.03/patches
# less README
for details. Unless you did so, the "(ifname)" syntax will not work on 5.2.1R. 
As a workaround you can place a #pfctl -f  in your linkup script. 
Other than that, you might want to try a recent -current snapshot in order to 
build 3.5 pf (the port is still as of 3.4) out of the box. There you have all 
the fancy interface handling that comes with 3.5 (including dynamic addresses 
of course) and additionally there is ALTQ ;) Patches for hme(4) from Pyun 
YongHyeon are on http://people.freebsd.org/~mlaier/ALTQ_driver/ other driver 
patches upon request.
sparc64 should not be a problem for pf in general.

> maybe on i386 works who knows ?

Not with the dynamic address syntax, no.

-- 
/"\  Best regards,  | [EMAIL PROTECTED]
\ /  Max Laier  | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [EMAIL PROTECTED]
/ \  ASCII Ribbon Campaign  | Against HTML Mail and News


pgpZvj2KkLGKf.pgp
Description: signature


problems with PF

2004-07-29 Thread RJ45

hello,
I configured PF for natting machines on my LAN
using FreeBSD as ADSL gateway.

I just write a simple rule
nat on tun0 from 172.16.16.0/24 to any -> (tun0)

but NAT does not work, packets are blocked.

ip forwarding is enabled

using ipfilter works and packets are natted succesfully with a simple rule
the same as before:

map tun0 172.16.16.0/24 -> tun0/32


I am using PF on OpenBSD since the first time it was released
so I Am sure it is not a problem of my configuration (After all more
than very simple)
using PF on FreeBSD I noticed simply packets are not NATted.
I have to say I am using it on sparc64 FreeBSD 5.2.1 on ultra 60.

anyone has some hints ?

maybe on i386 works who knows ?

thanks

Rick


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"