pfctl -s rules

Fleuriot Damien ml at my.gd
Fri Nov 30 13:33:39 UTC 2012 

-P

Enjoy.


On Nov 30, 2012, at 2:30 PM, Laszlo Danielisz <laszlo_danielisz at yahoo.com> wrote:

> Good idea, let me check.
> One more think, while pfctl -vnf /etc/pf.conf how can I list the port numbers instead of the protocol?
> 
> ex:
> pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.2 port = ftp flags S/SA keep state
> 
> I want to see port = 21 instead of port = ftp
> 
> -- 
> Laszlo Danielisz
> Sent with Sparrow
> 
> On 2012 November 30 Friday at 2:20 PM, Fleuriot Damien wrote:
> 
>> It likely tries to apply rules on an interface that doesn't exist yet (for example openvpn's tun).
>> 
>> There's also the chance your rules contain a fully qualified domain name, say example.com
>> PF tries to load its rules, DNS resolution is not up yet, FQDN fails to resolve to anything meaningful, rules fail to laod.
>> 
>> Review your rules for any non-physical interfaces (tun, gif) and domain names.
>> 
>> 
>> On Nov 30, 2012, at 2:17 PM, Laszlo Danielisz <laszlo_danielisz at yahoo.com> wrote:
>> 
>>> Thank you very much for your help!
>>> 
>>> pf is loaded to the kernel:
>>> ktulu# kldstat|grep pf        
>>> 38    1 0xc4b41000 3000     pflog.ko
>>> 39    1 0xc4b44000 35000    pf.ko
>>> 
>>> and pfctl -vnf /etc/pf.conf did work, though I don't want to paste here the whole result :)
>>> 
>>> Here is the output of grep
>>> 
>>> ktulu# grep pf /etc/rc.conf   
>>> #pf
>>> pf_enable="YES"
>>> pf_rules="/etc/pf.conf"
>>> pf_flags=""
>>> pflog_enable="YES"
>>> pflog_logfile="/var/log/pflog"
>>> pflog_flags=""
>>> 
>>> I wonder why it doesn't start on boot time?
>>> -- 
>>> Laszlo Danielisz
>>> Sent with Sparrow
>>> 
>>> On 2012 November 30 Friday at 1:40 PM, Tiago Felipe wrote:
>>> 
>>>> On 11/30/2012 10:23 AM, Fleuriot Damien wrote:
>>>>> On Nov 30, 2012, at 1:20 PM, Tiago Felipe<tfgoncalves at yahoo.com.br> wrote:
>>>>> 
>>>>>> On 11/30/2012 09:02 AM, Fleuriot Damien wrote:
>>>>>>> On Nov 30, 2012, at 12:00 PM, Laszlo Danielisz<laszlo_danielisz at yahoo.com> wrote:
>>>>>>> 
>>>>>>>> Hi Everybody,
>>>>>>>> 
>>>>>>>> Recently I've discover the following issues: I can't display my firewalls rules, and the firewall is enabled.
>>>>>>>> Take a look what is happening:
>>>>>>>> 
>>>>>>>> ktulu# pfctl -s rules
>>>>>>>> No ALTQ support in kernel
>>>>>>>> ALTQ related functions disabled
>>>>>>>> ktulu# pfctl -e
>>>>>>>> No ALTQ support in kernel
>>>>>>>> ALTQ related functions disabled
>>>>>>>> pfctl: pf already enabled
>>>>>>>> 
>>>>>>>> ktulu# uname -a
>>>>>>>> FreeBSD ktulu.danielisz.eu 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Do you have any idea why I can not see them?
>>>>>>>> 
>>>>>>>> Thx!
>>>>>>>> Laszlo
>>>>>>> 
>>>>>>> Actually, I believe you can see your rules, all the 0 of them.
>>>>>>> 
>>>>>>> Try pfctl -nf /etc/pf.conf
>>>>>>> 
>>>>>>> See if you have an error when loading the rules, that would explain it all.
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> freebsd-pf at freebsd.org mailing list
>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>>>> # pfctl -s all
>>>>>> 
>>>>>> the device is loaded?
>>>>>> 
>>>>>> # kldload pf.ko
>>>>>> 
>>>>>> or recompile the kernel
>>>>>> 
>>>>>> device pf
>>>>>> device pflog
>>>>>> device pfsync
>>>>>> 
>>>>>> after that reload the rules wtih # pfctl -nf /etc/pf.conf and see if change something.
>>>>>> 
>>>>>> sorry, my english sux.
>>>>>> 
>>>>>> --
>>>>>> Att,
>>>>>> Tiago Felipe Gonçalves.
>>>>>> Gerente de Infraestrutura de TI.
>>>>>> +55 19 99196494
>>>>> 
>>>>> His pfctl -si shows pf is enabled so either the module loaded fine, or he has device pf in his kernel config.
>>>>> 
>>>>> I'm waiting for both his snip from /etc/rc.conf and pfctl -vnf /etc/pf.conf ;)
>>>>> 
>>>>> Also note that pfctl -nf /etc/pf.conf doesn't actually load the rules, the -n flag makes it only parse the rules and show errors.
>>>> sorry for my failure with -n flag, i've seen mistakes on small
>>>> things,not cost check =]
>>>> but -nf will show errors, rc.conf will be useful and pfctl -s all, give
>>>> us a lot of info about.
>>>> 
>>>> --
>>>> Att,
>>>> Tiago.
>>>> 
>>>> _______________________________________________
>>>> freebsd-pf at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>> 
>> 
>

More information about the freebsd-pf mailing list