Problem with PF
Pat Maddox
pergesu at gmail.com
Thu Mar 31 14:54:23 PST 2005
I just got a new server with FreeBSD 5.3 installed, tried to set up
PF, and am getting an error when I try to parse the file. I updated
to patch release 6, hoping that might solve things, but I still get
the error. Here's the error itself:
pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor
And now for pf.conf:
# ------- pf.conf skeleton for server
#
# --------------- MACRO Section -----------------
EXT_IF="rl0"
PING = "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN = "{ ssh }"
#UDP_IN = "{ }"
# --- allowed services initiated by server
TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }"
UDP_OUT = "{ domain, ntp }"
# ------------------ TABLE Section --------------
# ------------------ OPTIONS Section
set loginterface $EXT_IF
# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)
# ---------- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
#pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
$PING keep state
# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# ----------------- end of pf.conf
More information about the freebsd-pf
mailing list