PF PF is loaded and when the computer restarts, you lose, help.

[tingo]

teo, do this command: ls -l /path/to/pf.conf and copy the output here.

 

[usdmatt]

Maybe it's worth attacking this from a different direction as there seems to be a fundamental misunderstanding here of what's needed to get the firewall to start on boot.

1. Create a file called /etc/pf.conf if it doesn't already exist.
2. Put your firewall rules in this file. I'd recommend starting with something simple that's not likely to have errors. There are various examples of simple PF configurations on the net, including in the PF section of the handbook.
3. Check the file with pfctl -n -f /etc/pf.conf. It may be worth posting the output of this command for us if you have further problems. (I've never used this command but I'm hoping it'll output something if there are errors.)
4. Update /etc/rc.conf so the pf entries look like the following.
   

   pf_enable="YES"
   pf_rules="/etc/pf.conf"

5. Reboot.

 

[teo]

I still can not solve PF.

Sorry for the delay, I've been going over the FreeBSD handbook in the PF module over and over again. This is the result with this command pfctl -n -f /etc/pf.conf

# pfctl -n -f /etc/pf.conf
pfctl: /etc/pf.conf: No such file or directory
pfctl: cannot open the main config file!: No such file or directory
#

What are the rules of this file /etc/pf.conf? Within that file there is nothing.

And also this command ls -l /path/to/pf.conf results in:

# ls -l /path/to/pf.conf
ls: /path/to/pf.conf: No such file or directory
#

I read this in the prompt:

/etc/rc: WARNING:  /patch/to/pf.conf  is not readable.
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: Gateway ::1
ELF ldconfig patch: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/gcc48 /usr/local/lib/nss
a.aout ldconfig patch: /usr/lib/aout /usr/lib/compat/aout
Creating and/or trimming log files.
Starting syslogd.
Clearing /tmp (X related)

.

 

[fonz]

# pfctl -n -f /etc/pf.conf
pfctl: /etc/pf.conf: No such file or directory
pfctl: cannot open the main config file!: No such file or directory
#

What are the rules of this file /etc/pf.conf? Within that file there is nothing.

PF doesn't have built-in rules. You need to tell it what you want it to do. Usually that's done by the file /etc/pf.conf, although it's possible to specify a different file.

And also this command ls -l /path/to/pf.conf results in:

# ls -l /path/to/pf.conf
ls: /path/to/pf.conf: No such file or directory
#

Please note that /path/to/pf.conf is not an actual path. The expression /path/to/foo is often used to indicate that you need to fill in wherever that file foo is. In your case it's /etc/pf.conf but in some cases it could be /usr/local/etc/pf.conf or /home/anaivanovic/pf.conf or whatever.

 

[wblock@]

I'm still waiting to hear where in the Handbook it says to load the kernel module and then reboot...

 

[usdmatt]

I think my instructions were fairly clear. Steps 1 and 2 were to create that file and put pf rules in it. If you don't know what firewall rules you want, why are you trying to enable the firewall in the first place?

There are many example of pf rules on the net, as I said there's even some example rule sets in the pf handbook page. Work out what you want your firewall to do, figure out the specific rules you need using the handbook/pf docs/wikis/how tos/whatever and put them in /etc/pf.conf.

If you create your rule set and still can't get things to work right, we may be able to check your rules and tell you what's wrong, but we can't really decide on your pf rules for you. Considering its taken 2 days, 30 messages and you still haven't properly understood that you need a rule file, and that pf_rules should point to it, we would be here forever tying to get the firewall working exactly as you want for you. You need to learn to create the rule file for yourself.

 

[teo]

PF doesn't have built-in rules. You need to tell it what you want it to do. Usually that's done by the file /etc/pf.conf

You need to tell it what you want it to do? What are the lines of this file /etc/pf.conf that I have to write in there? Which I made as indicated by the FreeBSD handbook in chapter 30 of the PF module.The first thing I did was to load the kernel module:

# kldload pf

Then add the lines in the file /etc/rc.conf

# ee /etc/rc.conf
pf_enable="YES"

Then restart the system. In the event of loss of PT, add the following lines in the file /etc/rc.conf :

# ee /etc/rc.conf
pf_rules="/path/to/pf.conf"

It's mentioned nowhere that I need to add to /etc/pf.conf.

 

[wblock@]

kldload() is not mentioned in Chapter 30. Maybe you have an old copy.

 

[teo]

why are you trying to enable the firewall in the first place?

Considering its taken 2 days, 30 messages and you still haven't properly understood that you need a rule file, and that pf_rules should point to it, You need to learn to create the rule file for yourself.

In today's world, it is very important to have a secure system that is free of intruders, the firewall is very important for safety. For me the only rules are the indications of the FreeBSD handbook, which do not indicate that anything must be added in /etc/pf.conf.

Thank you very much for the replies, hopefully someone says what to put in /etc/pf.conf. It is not in the handbook and I lose myself in /etc/pf.conf.

 

[fonz]

Please try to understand that PF is not like, say, Windows Defender or something. You need to decide for yourself what you want the firewall to do.

One common approach is to block all (incoming) traffic except on certain specific ports that are needed by servers. But there are countless other setups imaginable. I suggest that you try to explain just what you want your firewall to actually do.

 

[teo]

You need to decide for yourself what you want the firewall to do.

I suggest that you try to explain just what you want your firewall to actually do.

A firewall is an external barrier that filters and protects the network against unwanted access from intruders (hackers - malware) on a computer that can make losing information valuable intentionally or even deny services on the network.

The firewall is used:

1. To preserve the safety and privacy.
2. To protect the domestic net.
3. To have safe information on our network, server, or computer.
4. To avoid intrusion of unwanted in our network and computer .
5. To prevent possible denial of service attacks.

Then you already know why I need the fire-break, for the network protection and the computer is well protected of possible intrusions not wished

 

[usdmatt]

LOL, I'm pretty sure fonz already knows what a firewall is. He's asking what YOU want the firewall to do. Do you want it to block all external connections, or handle NAT for your network, or allow HTTP in, or block torrents, etc, etc.

FreeBSD handbook, which do not indicate that anything must be added in /etc/pf.conf.

The handbook seems to have a mistake, in that it says /etc/pf.conf should already exist, but I don't seem to have this file on any of my servers. It does suggest however, that you need to have a rule file.

From the Handbook: PF will not start if it cannot find its ruleset configuration file. The default ruleset is already created and is named /etc/pf.conf. If a custom ruleset has been saved somewhere else, add a line to /etc/rc.conf which specifies the full path to the file:

pf_rules="/path/to/pf.conf"

The handbook pretty much assumes that the reader realises they will need to create some firewall rules. As already mentioned, /path/to/pf.conf is just a place holder, you are supposed to put the path to your own ruleset file there.

Section 30.3.3 of the handbook (part of the PF page), gives quite a large number of example rulesets for doing different things. For the simplest possible firewall the following would suffice (taken from the handbook):

/etc/pf.conf

block in all
pass out all keep state

/etc/rc.conf

pf_enable="YES"
pf_rules="/etc/pf.conf"

This will block any external connections, but allow the FreeBSD machine itself to connect out. Please note that this blocks ALL external connections. You won't even be able to SSH to the box, from anywhere, with this ruleset. It only allows connections out and does nothing else, which is probably not what you want, but only you can decide what rules you need.

 

[teo]

He's asking what YOU want the firewall to do. Do you want it to block all external connections, or handle NAT for your network, or allow http in, or block torrents, etc, etc.

I'm sorry, on my part I confused the articles 30.3.1, 30.3.2 and 30.3.3. I wanted to load by default, but you can not, then encrypt or filter the incoming and outgoing network.

I don't have a server, in my free time I am testing a FreeBSD desktop. PF is lost when you restart the system. Can I build PF without this present?. What does he think of this firewall configuration, taken from a forum?..

# vi /etc/pf.conf
ext_if = "em0"
set block-policy drop
set skip on lo0
scrub in all
block in all
antispoof quick for ($ext_if)
block in quick from { urpf-failed no-route } to any
pass out quick on $ext_if keep state

 

[gkontos]

/path/to/pf.conf is just an example. You need a working pf.conf preferably located in /etc/pf.conf

 

[fonz]

By the way, I don't know whether this changed in FreeBSD 10, but /etc/pf.conf used to be the default location for the PF configuration file. So explicitly specifying pf_rules in /etc/rc.conf wasn't necessary as long as you were using what it said in /etc/defaults/rc.conf, which used to be /etc/pf.conf.

 

[gkontos]

No it has not changed. But the handbook uses this as an example. It is always good to have if you are experimenting with different sets. I usually have many copies of pf.conf. Of course, the handbook assumes that the reader is able to understand what path means...

 

[teo]

I wanted to load PF, and restart to load the default. I also wanted a filtering firewall, the system adjustment for default. Remember I'm new and I like this system, if something goes wrong, do not hit me. The only guide is the FreeBSD handbook. Now who could help me build a custom PF, supergirl?.

 

[youngunix]

Here is a sample pf.conf with ruleset (from OpenBSD), adjust it accordingly:

# macros

int_if="xl0"

tcp_services="{ 22, 113 }"
icmp_types="echoreq"

comp3="192.168.0.3"

# options

set block-policy return
set loginterface egress
set skip on lo

# FTP Proxy rules

anchor "ftp-proxy/*"

pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021

# match rules

match out on egress inet from !(egress:network) to any nat-to (egress:0)

# filter rules

block in log
pass out quick

antispoof quick for { lo $int_if }

pass in on egress inet proto tcp from any to (egress) \
port $tcp_services

pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3

pass in inet proto icmp all icmp-type $icmp_types

pass in on $int_if