Problem with PF
Pat Maddox
pergesu at gmail.com
Thu Mar 31 09:30:55 PST 2005
FreeBSD 5.3-RELEASE-p5. I'm not sure how to check the pf version.
I just started getting this error a couple days ago, and I've got
absolutely no clue why. I don't recall making any significant changes
to the box. Anyway, here's pf.conf:
# ------- pf.conf skeleton for server
#
# --------------- MACRO Section -----------------
EXT_IF="fxp0"
PING = "echoreq"
# --- allowed incoming services initiated by clients
TCP_IN = "{ ssh, smtp, ftp, imap, http, 5001, 5002, 5003, 5004, 5005 }"
UDP_IN = "{ domain }"
# --- allowed services initiated by server
TCP_OUT = "{ ssh, smtp, ftp, http, ntp, 5999 }"
UDP_OUT = "{ domain, ntp }"
# ------------------ TABLE Section --------------
# ------------------ OPTIONS Section
set loginterface $EXT_IF
# --------- TRAFFIC NORMALIZATION ----------------
scrub in all
# ---------- TRANSLATION Section (NAT/RDR)
# ---------- FILTER section
# --- DEFAULT POLICY
block log all
# --- LOOPBACK
pass quick on lo0 all
# ======================= INCOMING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
$TCP_IN flags S/SA keep state
# --- UDP
pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
$UDP_IN keep state
# --- ICMP
pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
$PING keep state
# ======================= OUTGOING ================
# ----------- EXTERNAL INTERFACE
# --- TCP
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
$TCP_OUT flags S/SA keep state
# --- UDP
pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
$UDP_OUT keep state
# --- ICMP
pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
icmp-type $PING keep state
# ----------------- end of pf.conf
On Thu, 31 Mar 2005 12:31:13 +0200, Peter N. M. Hansteen
<peter at bgnett.no> wrote:
> Pat Maddox <pergesu at gmail.com> writes:
>
> > I'm trying to set up PF on a server, and when I run pfctl -nf
> > /etc/pf.conf, I get the following error:
> > pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor
>
> More info is required.
>
> Which FreeBSD and PF versions (not all permutations of pf and FreeBSD
> will work, see the handbook), pf relevant rc.conf lines, your pf.conf,
> ifconfig output
>
> > Google doesn't come up with anything, I've got no clue what that is. Any help?
>
> Check your ruleset for obvious errors, such as trying to address a
> non-existent interface. Then again, this is guesswork based on very
> little information.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list