Solved default pf firewall for desktop

Hello
Default pf firewall rules for the desktop do not work
I've always used the kit
block in all
pass out all keep state
And everything was fine. But it hasn't worked for a while.
What happend?
It doesn't accept the rule
Code:
pass out all keep state
 
  • Define "do not work".
  • Where did you find these default rules?
  • What version of FreeBSD are you running?
  • What error message do you get?
  • What do you expect to have happen?

My CURRENT machine is perfectly happy with with a pf.conf that only contains "pass out all keep state".
 
Because your's defaults (implicitely) to deny/block all, what Yampress wrote explicitely? Then there's no difference...
Actually, according to pf.conf(5) the default is to pass the packet:
Code:
     For each packet processed by the packet filter, the filter rules are
     evaluated in sequential order, from first to last.  The last matching
     rule decides what action is taken.  If no rule matches the packet, the
     default action is to pass the packet.
Unless you build a custom kernel with the following enabled:
Code:
# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything.
options         PF_DEFAULT_TO_DROP      #drop everything by default
When doing so, you might be affected by PR 237477
 
root@freebsd /home/yampress # freebsd-version
12.1-RELEASE-p8
root@freebsd /home/yampress # uname -a
FreeBSD freebsd 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC amd64

root@freebsd /etc # cat /etc/pf.conf
block in all
pass out all keep state

root@freebsd /etc # service pf restart
Disabling pf.
Enabling pf/etc/pf.conf:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded
Early on, it worked according to the manual. It's been down lately. And I don't remember for how long time
https://www.freebsd.org/doc/handbook/firewalls-pf.html
 
Do you get the same error message when you run service pf check? I can test-load the same rules on 12.1-RELEASE-p8 without any problems. You might want to check your /etc/pf.conf for leading/trailing blanks. I remember once having a problem with trailing whitespace, though I could not reproduce it as of now. As all and keep state are the defaults, the simplest ruleset should be:
Code:
pass out
block in
 
root@freebsd /var/log # service pf check
Checking pf rules.
/etc/pf.conf:2: syntax error
root@freebsd /var/log #

There is no spacebar in pf.conf
I have checked two times
 
root@freebsd /home/yampress # cat /etc/rc.conf
rc_startmsgs="NO"
kld_list="i915kms fuse ext2fs"
vboxnet_enable="YES"
vboxguest_enable="YES"
update_motd="NO"
moused_enable="YES"
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="freebsd"
keymap="pl.kbd"
ifconfig_re0="inet 10.0.1.3 netmask 255.255.255.0"
defaultrouter="10.0.1.1"
dumpdev="NO"
zfs_enable="YES"
webcamd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
dnscrypt_proxy_enable="YES"
unbound_enable="YES"
#hald_enable="YES"
dbus_enable="YES"
slim_enable="YES"
root@freebsd /home/yampress #

root@freebsd /home/yampress # hexdump -C /etc/pf.conf
00000000 62 6c 6f 63 6b 20 69 6e 20 61 6c 6c 0a 70 61 73 |block in all.pas|
00000010 73 20 6f 75 74 20 61 6c 6c 20 6b 65 65 70 20 73 |s out all keep s|
00000020 74 61 74 65 |tate|
00000024
root@freebsd /home/yampress # service pf restart
Disabling pf.
Enabling pf/etc/pf.conf:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded
 
You're missing an endline at the end of your pf.conf and that's confusing the parser.
Add an empty line at the end of the file. Most editors do this automatically, so most people don't run into this.
 
I am using ee and mcedit to edit configuration files.
I added empty line to pf.conf
And managed to load pf rules

root@freebsd /home/yampress # service pf restart
Disabling pf.
Enabling pf.
root@freebsd /home/yampress # cat /etc/pf.conf
block in all
pass out all keep state
root@freebsd /home/yampress #

So my problem is solved
Thank you Kristof Provost
 
Back
Top