Re: Big problems with PF on freeBSD 6.2
Tim T Bos wrote: Hi Erik, I used a GENERIC kernel as well as a custom kernel. Both have the same behavior. I even tried a default install without any extra boot options. ON FreeBSD 5.5 i didn't have this problem. I'm going to try to log all actions. I must do something seriously wrong. I think it is probably just a typo that you've got blind to. I suggest you stick with the GENERIC kernel until you have things figured out, that way we all know what you're talking about. There should be no loading of pf related modules in your loader.conf, in rc.conf you should have: # Packet Filter pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" You should not have any of the firewall_ options set, these applies to ipfw. Then make a simple rule set: # Default action (this rule will never match) block log all # Your pass rules goes here # Catch up anything that falls through here: block log quick all The last rule is obviously not needed, but I like to have it just in case there is something I missed. Do # tcpdump -n -e -ttt -i pflog0 To watch live what happens (make sure that pflog is up and running). Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Re: Big problems with PF on freeBSD 6.2
Hi Erik, I used a GENERIC kernel as well as a custom kernel. Both have the same behavior. I even tried a default install without any extra boot options. ON FreeBSD 5.5 i didn't have this problem. I'm going to try to log all actions. I must do something seriously wrong. Thanks anyway Erik Norgaard wrote: > Tim T Bos wrote: >> Hi Guys, >> >> I have a problem with PF. Normally when I load pf.ko it uses deny all >> as default. >> But if i compile it in the kernel or load it as a module both it >> won't work. >> If a have only one rule "block all" or "block all on ext_if" I can still >> go on the internet and if I portscan my computer i get most ports closed >> and some by my isp filtered ports (137 139 and some onher MS ports). >> >> I tried a clean install of freebsd 6.2 with the latest stable source >> ass well. > > you mean "as well" :) > > Do you use a GENERIC kernel? If you have a custom kernel or try to set > special options for pf post those options. Also, post any boot options > that toggle pf behaviour. > > The default behaviour of pf is "pass all", I don't remember if there > is a boot option or similar to change this. > > But anyway, I think it is better to go with the default and set your > desired default action explicitly as the first rule in your rule set. > Try a GENERIC kernel and see if packets are blocked correctly by a > "block log all" rule. > > In any case, you should add "log" to your rules for debugging, so you > can see if ruleset is matched and where packets are blocked or passed. > > Cheers, Erik > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Big problems with PF on freeBSD 6.2
Tim T Bos wrote: Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule "block all" or "block all on ext_if" I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. you mean "as well" :) Do you use a GENERIC kernel? If you have a custom kernel or try to set special options for pf post those options. Also, post any boot options that toggle pf behaviour. The default behaviour of pf is "pass all", I don't remember if there is a boot option or similar to change this. But anyway, I think it is better to go with the default and set your desired default action explicitly as the first rule in your rule set. Try a GENERIC kernel and see if packets are blocked correctly by a "block log all" rule. In any case, you should add "log" to your rules for debugging, so you can see if ruleset is matched and where packets are blocked or passed. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org smime.p7s Description: S/MIME Cryptographic Signature
Big problems with PF on freeBSD 6.2
Hi Guys, I have a problem with PF. Normally when I load pf.ko it uses deny all as default. But if i compile it in the kernel or load it as a module both it won't work. If a have only one rule "block all" or "block all on ext_if" I can still go on the internet and if I portscan my computer i get most ports closed and some by my isp filtered ports (137 139 and some onher MS ports). I tried a clean install of freebsd 6.2 with the latest stable source ass well. I have this problem since i chanced from ISP. Can you please help me out because i love to use my BSD box again... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with pf
Parse your rules without actually loading them: pfctl -n -f /etc/pf.conf Flush the old rules and load the new ones without rebooting: pfctl -F -f /etc/pf.conf Gah! I knew that didn't look right... pfctl -F all -f /etc/pf.conf Or check out "man pfctl" for other options. Both are must-haves for tinkering with pf. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with pf
I have read the manpage on pf but I am still stumped. I get some error messages when starting up that say something like 'rule expands to no possible valid combination' or something to that effect. If someone can tell me how I can find out what the error messages are when I boot I will post them. Parse your rules without actually loading them: pfctl -n -f /etc/pf.conf Flush the old rules and load the new ones without rebooting: pfctl -F -f /etc/pf.conf Both are must-haves for tinkering with pf. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
problems with pf
Hello,
I have read the manpage on pf but I am still stumped. I get some error
messages when starting up that say something like 'rule expands to no
possible valid combination' or something to that effect. If someone can
tell me how I can find out what the error messages are when I boot I
will post them.
Here is my pf.conf:
ext_if="vr0"
altq on $ext_if cbq bandwidth 2Mb queue { web , p2p , ssh }
queue web bandwidth 40% priority 6 cbq(borrow)
queue ssh bandwidth 40% priority 6 cbq(borrow)
queue p2p bandwidth 20% cbq(borrow default)
pass in on $ext_if all
pass in on $ext_if from any to any port 22 queue(ssh)
pass in on $ext_if from any to any port 80 queue(web)
pass out on $ext_if all
pass out on $ext_if from any to any port 22 queue(ssh)
pass out on $ext_if from any to any port 80 queue(web)
Can someone please tell me what is wrong with my syntax?
Thanks!
/Brian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: problems with PF
On Thursday 29 July 2004 22:57, RJ45 wrote: > hello, > I configured PF for natting machines on my LAN > using FreeBSD as ADSL gateway. > > I just write a simple rule > nat on tun0 from 172.16.16.0/24 to any -> (tun0) ^^ > but NAT does not work, packets are blocked. > > ip forwarding is enabled > > using ipfilter works and packets are natted succesfully with a simple rule > the same as before: > > map tun0 172.16.16.0/24 -> tun0/32 > > > I am using PF on OpenBSD since the first time it was released > so I Am sure it is not a problem of my configuration (After all more > than very simple) > using PF on FreeBSD I noticed simply packets are not NATted. Well they are, but to a wrong address or no address at all, depending on the state of tun0 upon loading the ruleset. > I have to say I am using it on sparc64 FreeBSD 5.2.1 on ultra 60. > > anyone has some hints ? Have you applied the dynamic address patches? # cd /usr/ports/security/pf && make extract && cd work/pf_freebsd_2.03/patches # less README for details. Unless you did so, the "(ifname)" syntax will not work on 5.2.1R. As a workaround you can place a #pfctl -f in your linkup script. Other than that, you might want to try a recent -current snapshot in order to build 3.5 pf (the port is still as of 3.4) out of the box. There you have all the fancy interface handling that comes with 3.5 (including dynamic addresses of course) and additionally there is ALTQ ;) Patches for hme(4) from Pyun YongHyeon are on http://people.freebsd.org/~mlaier/ALTQ_driver/ other driver patches upon request. sparc64 should not be a problem for pf in general. > maybe on i386 works who knows ? Not with the dynamic address syntax, no. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpZvj2KkLGKf.pgp Description: signature
problems with PF
hello, I configured PF for natting machines on my LAN using FreeBSD as ADSL gateway. I just write a simple rule nat on tun0 from 172.16.16.0/24 to any -> (tun0) but NAT does not work, packets are blocked. ip forwarding is enabled using ipfilter works and packets are natted succesfully with a simple rule the same as before: map tun0 172.16.16.0/24 -> tun0/32 I am using PF on OpenBSD since the first time it was released so I Am sure it is not a problem of my configuration (After all more than very simple) using PF on FreeBSD I noticed simply packets are not NATted. I have to say I am using it on sparc64 FreeBSD 5.2.1 on ultra 60. anyone has some hints ? maybe on i386 works who knows ? thanks Rick ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
