Solved [SOLVED] PF Setup isue

fred974

fred974

Hello everyone,

I just set a pf.conf file with the following entries:
Code: 
### Interfaces ###
ext_if = bge0 
int_if = lo1

### Jails ###
Nginx_jail = 192.168.0.001
MySQL_jail = 192.168.0.002

Nginx_ports = "{ http,https }"
MySQL_ports = "{ 3306 }"

### general ###
scrub in all # normalize packets
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
table persist

### translations ###
rdr on $ext_if proto tcp from any to $ext_if port $Nginx_ports -> $Nginx_jail
rdr on $ext_if proto tcp fron any to $ext_if port $MySQL_ports -> $MySQL_jail

### more general ###
block drop in quick inet from to any
antispoof for $ext_if # prevent several spoofing attacks
When I ran
root@FreeBSD:~ # pfctl -sn
I get the following:
Code: 
No ALTQ support in kernel
ALTQ related functions disabled
It look like nothing has been is inserted.

Could anyone please advise on how I could solve this issue?

Thank you in advance
Fred
 
Re: PF Settup isue

That's not a real error. ALTQ isn't by default compiled into the generic FreeBSD kernel. You need to load the modules yourself.
 
Re: PF Setup isue

That is a pet peeve of anyone running PF without the need for traffic shaping (which ALTQ delivers). There's no way to suppress this 'banner', unless you load ALTQ, which you may not need at all, ever. So learn to ignore it.
 
Re: PF Setup isue

You really want to see errors when running pf-related commands, believe me.
 
Re: PF Setup isue

I believe you. But for trivial commands such as pfctl -t <table> -vTs (especially when writing to file), etc. I find the ALTQ comments really annoying so I get rid of them.
 
Re: PF Setup isue

Thank you very much guys. So I don't need to worry about the ALTQ error but what about no rules being displayed? I am using the wrong command to see what rules pf is using?

Code: 
root@FreeBSD:# pfctl -vnf /etc/pf.conf
return
Code: 
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
root@FreeBSD:/var/log # pfctl -vnf /etc/pf.conf
ext_if = "bge0"
int_if = "lo1"
Nginx_jail = "192.168.0.001"
MySQL_jail = "192.168.0.002"
Nginx_ports = "{ http,https }"
MySQL_ports = "{ 3306 }"
/etc/pf.conf:15: syntax error
/etc/pf.conf:19: syntax error
/etc/pf.conf:22: syntax error

Can anyone spot where the syntax error is?
Thank you
 
Re: PF Setup isue

pfctl(8) has all you need. Like pfctl -sr. The syntax errors aren't shown. You'll have to go to lines 15,19 and 22 of your pf.conf in an editor.
 
Re: PF Setup isue

Code: 
root@FreeBSD:# pfctl -vnf /etc/pf.conf
Code: 
1 ### Interfaces ###
      2 ext_if="bge0" # external network interface
      3 int_if="lo1"
      4
      5 ### Jails ###
      6 Nginx_jail="192.168.0.115"
      7 MySQL_jail="192.168.0.120"
      8
      9 Nginx_ports="{ http,https }"
     10 MySQL_ports="{ 3306 }"
     11
     12 ### general ###
     13 scrub in all
     14 nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)
     15 table persist
     16
     17 ### translations ###
     18 rdr on $ext_if proto tcp from any to $ext_if port $Nginx_ports -> $Nginx_jail
     19 rdr on $ext_if proto tcp fron any to $ext_if port $MySQL_ports -> $MySQL_jail
     20
     21 ### more general ###
     22 block drop in quick inet from to any
     23 antispoof for $ext_if
I must be missing the obvious but I cannot see any syntax problem at lines 15,19 and 22
 
Re: PF Setup isue

Line 15:

Code: 
table persist
is not valid syntax. It's
Code: 
table <somename> persist
Other errors may be triggered by it.

Line 19 has fron instead of from.

Line 22 has
Code: 
from to any
instead of
Code: 
from any to any
(or whatever source specification you want).

Really, just be precise.
 
You must log in or register to reply here.
Back
Top