pfctl -s rules
Laszlo Danielisz
laszlo_danielisz at yahoo.com
Fri Nov 30 13:50:39 UTC 2012
Thank you!
On 2012 November 30 Friday at 2:33 PM, Fleuriot Damien wrote:
> -P
>
> Enjoy.
>
>
> On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz <laszlo_danielisz at yahoo.com (mailto:laszlo_danielisz at yahoo.com)> wrote:
> > Good idea, let me check.
> > One more think, while pfctl -vnf /etc/pf.conf how can I list the port numbers instead of the protocol?
> >
> > ex:
> > pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port = ftp flags S/SA keep state
> >
> > I want to see port = 21 instead of port = ftp
> >
> > --
> > Laszlo Danielisz
> > Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
> >
> >
> > On 2012 November 30 Friday at 2:20 PM, Fleuriot Damien wrote:
> >
> > > It likely tries to apply rules on an interface that doesn't exist yet (for example openvpn's tun).
> > >
> > > There's also the chance your rules contain a fully qualified domain name, say example.com (http://example.com/)
> > > PF tries to load its rules, DNS resolution is not up yet, FQDN fails to resolve to anything meaningful, rules fail to laod.
> > >
> > > Review your rules for any non-physical interfaces (tun, gif) and domain names.
> > >
> > >
> > > On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz <laszlo_danielisz at yahoo.com (mailto:laszlo_danielisz at yahoo.com)> wrote:
> > > > Thank you very much for your help!
> > > >
> > > > pf is loaded to the kernel:
> > > > ktulu# kldstat|grep pf
> > > > 38 1 0xc4b41000 3000 pflog.ko
> > > > 39 1 0xc4b44000 35000 pf.ko
> > > >
> > > >
> > > > and pfctl -vnf /etc/pf.conf did work, though I don't want to paste here the whole result :)
> > > >
> > > > Here is the output of grep
> > > >
> > > > ktulu# grep pf /etc/rc.conf
> > > > #pf
> > > > pf_enable="YES"
> > > > pf_rules="/etc/pf.conf"
> > > > pf_flags=""
> > > > pflog_enable="YES"
> > > > pflog_logfile="/var/log/pflog"
> > > > pflog_flags=""
> > > >
> > > >
> > > > I wonder why it doesn't start on boot time?
> > > > --
> > > > Laszlo Danielisz
> > > > Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
> > > >
> > > >
> > > > On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote:
> > > >
> > > > > On 11/30/2012 10:23 AM, Fleuriot Damien wrote:
> > > > > > On Nov 30, 2012, at 1:20 PM, Tiago Felipe<tfgoncalves at yahoo.com.br (mailto:tfgoncalves at yahoo.com.br)> wrote:
> > > > > >
> > > > > > > On 11/30/2012 09:02 AM, Fleuriot Damien wrote:
> > > > > > > > On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz<laszlo_danielisz at yahoo.com (mailto:laszlo_danielisz at yahoo.com)> wrote:
> > > > > > > >
> > > > > > > > > Hi Everybody,
> > > > > > > > >
> > > > > > > > > Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled.
> > > > > > > > > Take a look what is happening:
> > > > > > > > >
> > > > > > > > > ktulu# pfctl -s rules
> > > > > > > > > No ALTQ support in kernel
> > > > > > > > > ALTQ related functions disabled
> > > > > > > > > ktulu# pfctl -e
> > > > > > > > > No ALTQ support in kernel
> > > > > > > > > ALTQ related functions disabled
> > > > > > > > > pfctl: pf already enabled
> > > > > > > > >
> > > > > > > > > ktulu# uname -a
> > > > > > > > > FreeBSD ktulu.danielisz.eu (http://ktulu.danielisz.eu/) 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root at i386-builder.daemonology.net (mailto:root at i386-builder.daemonology.net):/usr/obj/usr/src/sys/GENERIC i386
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Do you have any idea why I can not see them?
> > > > > > > > >
> > > > > > > > > Thx!
> > > > > > > > > Laszlo
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Actually, I believe you can see your rules, all the 0 of them.
> > > > > > > >
> > > > > > > > Try pfctl -nf /etc/pf.conf
> > > > > > > >
> > > > > > > > See if you have an error when loading the rules, that would explain it all.
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > freebsd-pf at freebsd.org (mailto:freebsd-pf at freebsd.org) mailing list
> > > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > > > > > > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org (mailto:freebsd-pf-unsubscribe at freebsd.org)"
> > > > > > > >
> > > > > > >
> > > > > > > # pfctl -s all
> > > > > > >
> > > > > > > the device is loaded?
> > > > > > >
> > > > > > > # kldload pf.ko
> > > > > > >
> > > > > > > or recompile the kernel
> > > > > > >
> > > > > > > device pf
> > > > > > > device pflog
> > > > > > > device pfsync
> > > > > > >
> > > > > > > after that reload the rules wtih # pfctl -nf /etc/pf.conf and see if change something.
> > > > > > >
> > > > > > > sorry, my english sux.
> > > > > > >
> > > > > > > --
> > > > > > > Att,
> > > > > > > Tiago Felipe Gonçalves.
> > > > > > > Gerente de Infraestrutura de TI.
> > > > > > > +55 19 99196494
> > > > > > >
> > > > > >
> > > > > >
> > > > > > His pfctl -si shows pf is enabled so either the module loaded fine, or he has device pf in his kernel config.
> > > > > >
> > > > > > I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf /etc/pf.conf ;)
> > > > > >
> > > > > > Also note that pfctl -nf /etc/pf.conf doesn't actually load the rules, the -n flag makes it only parse the rules and show errors.
> > > > > sorry for my failure with -n flag, i've seen mistakes on small
> > > > > things,not cost check =]
> > > > > but -nf will show errors, rc.conf will be useful and pfctl -s all, give
> > > > > us a lot of info about.
> > > > >
> > > > > --
> > > > > Att,
> > > > > Tiago.
> > > > >
> > > > > _______________________________________________
> > > > > freebsd-pf at freebsd.org (mailto:freebsd-pf at freebsd.org) mailing list
> > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > > > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org (mailto:freebsd-pf-unsubscribe at freebsd.org)"
> > > > >
> > > >
> > > >
> > >
> >
>
More information about the freebsd-pf
mailing list