Getting tables to work in PF (fwd)
Dave Horsfall
dave at horsfall.org
Tue Nov 4 00:57:08 UTC 2014
Meant to go to list; I was interrupted by a phone call at the crucial
moment...
--
Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
---------- Forwarded message ----------
Date: Tue, 4 Nov 2014 11:54:40 +1100 (EST)
From: Dave Horsfall <dave at horsfall.org>
To: Doug Hardie <bc979 at lafn.org>
Subject: Re: Getting tables to work in PF
On Mon, 3 Nov 2014, Doug Hardie wrote:
>Do the rules show after that? I’ve never seen that last line before. I
>suspect it indicates an error of some sort.
DIOCSETSTATUSIF? I thought it was part of the ALTQ stuff. net/pfvar.h
only has this to say:
#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
and in pf(4):
DIOCSETSTATUSIF struct pfioc_if *pi
Specify the interface for which statistics are accumulated.
As for "ifconfig fxp0" (the only NIC on the box):
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
ether00:08:02:c4:b4:49
inet10.0.0.3 netmask 0xffffff00 broadcast 10.0.0.255
media:Ethernet autoselect (100baseTX <full-duplex>)
status:active
The rules? Not a sausage. It's behaving as though it's reading the file
(which it is), but not honouring the rules themselves (which it isn't).
Here:
aneurin# pfctl -s all
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:
INFO:
Status: Enabled for 1 days 04:14:05 Debug: Urgent
State Table Total Rate
current entries 0
searches 209120 2.1/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 209120 2.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 813 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
TABLES:
spammers
woodpeckers
OS FINGERPRINTS:
696 fingerprints loaded
aneurin#
So, if pf(4) actually known to work on:
FreeBSD aneurin.horsfall.org 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
and if so, does anyone have a working sample pf.conf from such a box?
There's no kernel source on the thing, so I cannot rebuild with ALTQ, and
my DVD is busted so I cannot upgrade; if I can load up an 8GB USB stick
with FreeBSD then that could be one upgrade path, I suppose, but I don't
know if this thing (a Compaq Evo) will boot from USB.
--
Dave Horsfall (VK2KFU) "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html(and check the home page whilst you're there)
More information about the freebsd-pf
mailing list