Hi FreeBSD community!
Just a weird issue with
Here's my /etc/rc.conf:
And here's my /etc/pf.conf:
After a reboot,
However, my tables are not loaded:
And, if I reload pf:
Now, my tables are loaded:
Do you see an issue? Why should I reload pf after the boot? Why my tables are not loaded on boot?
Thanks a lot for your responses and advices.
Regards,
ssbear
Just a weird issue with
pf
, and I can't find an answer or a solution...Here's my /etc/rc.conf:
Code:
hostname="XXXXX"
keymap="fr.acc"
ifconfig_em0="DHCP"
sshd_enable="YES"
devmatch_enable="NO"
sendmail_enable="NONE"
ntpd_enable="YES"
smtpd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf"
And here's my /etc/pf.conf:
Code:
int_if = "lo0"
ext_if = "em0"
icmp_types = "{ echoreq unreach }"
table <ips-banned> persist file "/var/log/ips-banned"
table <ips-work> persist file "/etc/ips-work"
table <ips-ssh-violations> persist file "/var/log/ips-ssh-violations"
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo0
scrub in all
antispoof quick log for { lo0 $ext_if }
block in all
block out all
pass in quick proto { tcp, udp } from { <ips-work> } to any
pass out quick proto { tcp, udp } from $ext_if to any
block drop in quick from <ips-ssh-violations> to any
block in quick log proto icmp from <ips-banned>
block in quick log proto tcp from <ips-banned> to port { 22, 25 }
pass inet proto icmp icmp-type $icmp_types
pass in on $ext_if proto tcp from any to $ext_if port 22 \
flags S/SA keep state ( max-src-conn 20, max-src-conn-rate 15/5, \
overload <ips-banned> flush global)
After a reboot,
pf
is launched: service pf status
Code:
Status: Enabled for 0 days 00:07:19 Debug: Urgent
State Table Total Rate
current entries 0
searches 5103 11.6/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 5103 11.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 10 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
However, my tables are not loaded:
pfctl -T show -t ips-work
Code:
pfctl: Table does not exist.
And, if I reload pf:
service pf reload
Code:
Reloading pf rules
Now, my tables are loaded:
pfctl -T show -t ips-work
Code:
XX.XX.XX.XX
XX.XX.XX.XX
XX.XX.XX.XX
XX.XX.XX.XX
XX.XX.XX.XX
Do you see an issue? Why should I reload pf after the boot? Why my tables are not loaded on boot?
Thanks a lot for your responses and advices.
Regards,
ssbear