pfctl -s rules

Fleuriot Damien ml at my.gd
Fri Nov 30 13:20:40 UTC 2012 

It likely tries to apply rules on an interface that doesn't exist yet (for example openvpn's tun).

There's also the chance your rules contain a fully qualified domain name, say example.com
PF tries to load its rules, DNS resolution is not up yet, FQDN fails to resolve to anything meaningful, rules fail to laod.

Review your rules for any non-physical interfaces (tun, gif) and domain names.


On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz <laszlo_danielisz at yahoo.com> wrote:

> Thank you very much for your help!
> 
> pf is loaded to the kernel:
> ktulu# kldstat|grep pf        
> 38    1 0xc4b41000 3000     pflog.ko
> 39    1 0xc4b44000 35000    pf.ko
> 
> and pfctl -vnf /etc/pf.conf did work, though I don't want to paste here the whole result :)
> 
> Here is the output of grep
> 
> ktulu# grep pf /etc/rc.conf   
> #pf
> pf_enable="YES"
> pf_rules="/etc/pf.conf"
> pf_flags=""
> pflog_enable="YES"
> pflog_logfile="/var/log/pflog"
> pflog_flags=""
> 
> I wonder why it doesn't start on boot time?
> -- 
> Laszlo Danielisz
> Sent with Sparrow
> 
> On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote:
> 
>> On 11/30/2012 10:23 AM, Fleuriot Damien wrote:
>>> On Nov 30, 2012, at 1:20 PM, Tiago Felipe<tfgoncalves at yahoo.com.br> wrote:
>>> 
>>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote:
>>>>> On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz<laszlo_danielisz at yahoo.com> wrote:
>>>>> 
>>>>>> Hi Everybody,
>>>>>> 
>>>>>> Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled.
>>>>>> Take a look what is happening:
>>>>>> 
>>>>>> ktulu# pfctl -s rules
>>>>>> No ALTQ support in kernel
>>>>>> ALTQ related functions disabled
>>>>>> ktulu# pfctl -e
>>>>>> No ALTQ support in kernel
>>>>>> ALTQ related functions disabled
>>>>>> pfctl: pf already enabled
>>>>>> 
>>>>>> ktulu# uname -a
>>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Do you have any idea why I can not see them?
>>>>>> 
>>>>>> Thx!
>>>>>> Laszlo
>>>>> 
>>>>> Actually, I believe you can see your rules, all the 0 of them.
>>>>> 
>>>>> Try pfctl -nf /etc/pf.conf
>>>>> 
>>>>> See if you have an error when loading the rules, that would explain it all.
>>>>> 
>>>>> _______________________________________________
>>>>> freebsd-pf at freebsd.org mailing list
>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>> # pfctl -s all
>>>> 
>>>> the device is loaded?
>>>> 
>>>> # kldload pf.ko
>>>> 
>>>> or recompile the kernel
>>>> 
>>>> device pf
>>>> device pflog
>>>> device pfsync
>>>> 
>>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see if change something.
>>>> 
>>>> sorry, my english sux.
>>>> 
>>>> --
>>>> Att,
>>>> Tiago Felipe Gonçalves.
>>>> Gerente de Infraestrutura de TI.
>>>> +55 19 99196494
>>> 
>>> His pfctl -si shows pf is enabled so either the module loaded fine, or he has device pf in his kernel config.
>>> 
>>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf /etc/pf.conf ;)
>>> 
>>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the rules, the -n flag makes it only parse the rules and show errors.
>> sorry for my failure with -n flag, i've seen mistakes on small
>> things,not cost check =]
>> but -nf will show errors, rc.conf will be useful and pfctl -s all, give
>> us a lot of info about.
>> 
>> --
>> Att,
>> Tiago.
>> 
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list