PF PF not loading rules

R

redmend67

I created a file called firewall_rules.conf

In rc.conf I enable pf and also logging and give the path to the rules config file and the file for logging.

When I run
Code: 
Service pf start[/cmd] 

I get [code] Warning: Unable to load /etc/firewall_rules.conf

I type in pfctl -v -s rules and also pfctl -s rules and it shows nothing. I assume that commadn supposed to show all the rules loaded.

So, I am assuming that the rules are not being loaded. Is there a way I an find out what is the issue?

Before this I had syntax errors in the rules. I fixed them meaning when doing service pf start it would spit out syntax errors in rules
on certain lines. I fixed all of them and I know this because it cleared up those errors. I no longer have them.

However, I get no errors but a warning that it cannot load the rules file. How can I figure out as to why?
I assume it might be a permission issue? I have the file chmod 600. It's owned by root and group wheel.
Do I need to add PF to group wheel?
 
redmend67 said:
I created a file called firewall_rules.conf

In rc.conf I enable pf and also logging and give the path to the rules config file and the file for logging.

When I run
Code: 
Service pf start[/cmd]

I get [code] Warning: Unable to load /etc/firewall_rules.conf

I type in pfctl -v -s rules and also pfctl -s rules and it shows nothing. I assume that commadn supposed to show all the rules loaded.

So, I am assuming that the rules are not being loaded. Is there a way I an find out what is the issue?

Before this I had syntax errors in the rules. I fixed them meaning when doing service pf start it would spit out syntax errors in rules
on certain lines. I fixed all of them and I know this because it cleared up those errors. I no longer have them.

However, I get no errors but a warning that it cannot load the rules file. How can I figure out as to why?
I assume it might be a permission issue? I have the file chmod 600. It's owned by root and group wheel.
Do I need to add PF to group wheel?
Click to expand...
The default name for the rules file is /etc/pf.conf. Did you change this for some reason?
What does pfctl -nf /etc/firewall_rules.conf report?
 
Jose said:
The default name for the rules file is /etc/pf.conf. Did you change this for some reason?
What does pfctl -nf /etc/firewall_rules.conf report?
Click to expand...
I am going to try that command right now.

I do have pf.conf file in that location. However, I followed a tutorial and it said when in rc.conf
you can assign the firewall rules and name the file anything like examble anything_rules.conf
So, I put the variable setting in rc.conf to load in that file as the firewall rules.

So, I ran pfctl -nf /etc/firewall_rules.conf and nothing happened.
I typed exactly that and hit enter and saw nothing on the terminal.
 
show us the relevant lines in /etc/rc.conf and the contents of your /etc/firewall_rules.conf

As Jose has pointed out - the default file is called /etc/pf.conf, why did you change that and did you actually specify that file in rc.conf?

edit: maybe you could also share that "tutorial" with us? There are a lot of sketchy or plain out wrong "tutorials" out there, so we might be able to point you to a better source of information (the manpages and handbook should always be the first to consult...)
 
sko said:
show us the relevant lines in /etc/rc.conf and the contents of your /etc/firewall_rules.conf

As Jose has pointed out - the default file is called /etc/pf.conf, why did you change that and did you actually specify that file in rc.conf?

edit: maybe you could also share that "tutorial" with us? There are a lot of sketchy or plain out wrong "tutorials" out there, so we might be able to point you to a better source of information (the manpages and handbook should always be the first to consult...)
Click to expand...
The tutorial is [removed] .

I do have a pf.conf file but not using it. In rc.conf I specify to use the rules from the file listed above which is firewall_rules.conf.
I read elsewhere that the rules file can be named anything and if you don't specify it in rc.conf then the default is pf.conf.

There's no rule errors. I know this because when I wrote the rules I would get syntax errors. I had to clear them out line by line.
This eventually got me to where I am right now. I am pretty sure the file is ok. I feel like it's a permission issue.
I had the chmod at 600 but now changed it to 644 but it didn't improve anything.
 
sko said:
show us the relevant lines in /etc/rc.conf and the contents of your /etc/firewall_rules.conf

As Jose has pointed out - the default file is called /etc/pf.conf, why did you change that and did you actually specify that file in rc.conf?

edit: maybe you could also share that "tutorial" with us? There are a lot of sketchy or plain out wrong "tutorials" out there, so we might be able to point you to a better source of information (the manpages and handbook should always be the first to consult...)
Click to expand...
From my understanding if you specify a rules file in rc,conf then you can name that file anything you want.
If you dont' specify a rules file in rc.conf then the PF uses the default file which is the pf.conf.
I have it specified in rc.conf so it should work.

The PF is only showing a warning that it cannot load the rule file. It doesn't specify as to why. .
 
As long as you run rc script or pfctl command with root privileges, the ownership and permissions of the config file does not matter at all.

Check the config file against illegal non-printing characters and remove them all if there is any and then restart the pf service as root.

If you still have the issue show an output of following commands:
freebsd-version -kru
cat -e /etc/rc.conf
cat -e /etc/firewall_rules.conf
 
rashey said:
As long as you run rc script or pfctl command with root privileges, the ownership and permissions of the config file does not matter at all.

Check the config file against illegal non-printing characters and remove them all if there is any and then restart the pf service as root.

If you still have the issue show an output of following commands:
freebsd-version -kru
cat -e /etc/rc.conf
cat -e /etc/firewall_rules.conf
Click to expand...

Ok so I went back and found no non-printing characters violated. I instead went line by line and did a trial and error.
The rules loaded when I commented out set limit { states 3}
It looks like this line needs to be in a specific order. I had it at the start of the script.
anyone know where that line should be at?
 
I think that falls under the "options" (man pf.conf) which I think should be after macros and tables, but before scrub.
 
redmend67 said:
It looks like this line needs to be in a specific order. I had it at the start of the script.
Click to expand...

That's stated in the *very first* section of the pf.conf(5) manpage...
Instead of blindly following some 'tutorials', ALWAYS read the handbook and especially the manpages FIRST. We're not on linux here, FreeBSD has excellent documentation! Use it!
 
sko said:
That's stated in the *very first* section of the pf.conf(5) manpage...
Instead of blindly following some 'tutorials', ALWAYS read the handbook and especially the manpages FIRST. We're not on linux here, FreeBSD has excellent documentation! Use it!
Click to expand...
I have and even putting that after tables it still gives out an error. I commented out and will deal with it.
I started out having it at a later position and went online asking for help. Someone told me that it needs to be
at the start. So, put it there... I commented it out. I will work on it later.

I never used pf .. I only used ipfw but used that heavily and kept getting ddos attacks. So, I had to manually add them in.
was told to write a script to keep adding them in but after talking with many they told me ipfw is bad and told me to switch to pf. Which is why I am using it to use tables to load in files of ip address. I am trying to get it automated to either detect or update
blocked ips with new lists from the internet of known bad actors. I use tutorials to be able to quickly adjust to something new and if something doesn't work the first thing I do is look up the man pages. However, it's not always clear. I don't know what linux has to do with it? Linux is the same way. Documentation is there for people that have experience with the software.
For people that are using the software for the first time it's not easy. That is why tutorials exist. It guides people that are doing something for the first time or forgot that are confused.
 
pf is hard because it's very nuanced and FreeBSD's version is frankly, weird. The FreeBSD Handbook, as someone has noted, points to resources that are entirely dedicated to OpenBSD and then irresponsibility wash their hands of the problems distinguishing between the two versions that you will have when using those resources. The man page just tells you what things are, not how to do a thing you want to do. Tutorials and examples specifically for FreeBSD are seemingly nonexistent (otherwise they would be linked in the handbook and not these seemingly useless OpenBSD links)?

Anyway, IMO, problems with pf config shouldn't be so severely handled.
 
Huh? There are several examples in the pf(4) section of the Handbook, including a complete simple gateway with NAT.
docs.freebsd.org

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them
docs.freebsd.org docs.freebsd.org
 
  • Like
Reactions: mer
My opinions only, agree, disagree, it's all good. Apologies if this gets long.
pf on FreeBSD was the first "firewall" stuff I played, a long time ago. "The Book Of PF" by Peter Hansteen was my guide. Things tracked very closely between the software and the book. Lots of tips and tricks that are still useful today, especially on how to write config files and parse them for errors without loading them.
OpenBSD PF syntax has evolved and changed a bit since it was imported into FreeBSD, but to the best of my knowledge a lot of the fundamental syntax has remained the same.
So if you are trying to follow an OpenBSD tutorial relating to some newly added feature, probably won't work on FreeBSD.
If you are following a tutorial on basic firewalling? Probably almost cut and paste.

PF is no more nuanced than IPFW: one needs to understand the tool, learn how to speak it, then learn how to master it.
Every good firewall implementation starts with a sheet of paper, a pencil and an understanding of what you are trying to accomplish. Draw a box, draw your arrows in and out for traffic, write down what you want to allow (because you should be starting with default deny all), remember what keep state does.
That gives you a set of rules that you can test against.

As to the OP original problem of syntax errors:
pfctl -vvnf filename

the "vv" gives you more verbose output you will at least get a line number for the syntax error.

Kristof Provost would be the definitive source on what is different between the FreeBSD and OpenBSD versions (in my opinion at least).
 
redmend67 said:
I never used pf .. I only used ipfw but used that heavily and kept getting ddos attacks. So, I had to manually add them in.
was told to write a script to keep adding them in but after talking with many they told me ipfw is bad and told me to switch to pf. Which is why I am using it to use tables to load in files of ip address.
Click to expand...

If you ask (e.g.) google to respond on any topic, say "blah", you will see as many responses titled "why blah is good" as "why blah is bad".

For solutions involving tables of addresses that you can update on the fly without having to restart or signal the firewall, pf has no specific advantage over ipfw, despite the still-dreadful ipfw section in the Handbook failing to even mention the use of tables.

/etc/rc.firewall 'simple' ruleset provides one useful example, and Handbook section 32.6 on blacklistd shows a solution usable with either pf or ipfw.

redmend67 said:
I am trying to get it automated to either detect or update
blocked ips with new lists from the internet of known bad actors. I use tutorials to be able to quickly adjust to something new and if something doesn't work the first thing I do is look up the man pages. However, it's not always clear.
Click to expand...

Indeed. ipfw(8) is clear and authoritative, as opposed to the Handbook, but it's large and therefore daunting for some.

Not suggesting anything against choosing pf at all, just that I find it sad that people are misled or turned off ipfw by ignorant articles.
 
redmend67 said:
I am using it to use tables to load in files of ip address.
Click to expand...
PF is not forgiving parser errors when loading into tables.

a) Therefore you must not using hostnames that do not resolve.
b) Make sure that each IP does parse as a valid IP.

So there is a little extra work necessary before feeding into PF-tables if you want to avoid that PF is not loading and you silently have a non functional firewall when using scripts for some automation.
 
You must log in or register to reply here.
Back
Top