Professional Web Applications Themes

Problem with PF - FreeBSD

I'm trying to set up PF on a server, and when I run pfctl -nf /etc/pf.conf, I get the following error: pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor Google doesn't come up with anything, I've got no clue what that is. Any help?...

  1. #1

    Default Problem with PF

    I'm trying to set up PF on a server, and when I run pfctl -nf
    /etc/pf.conf, I get the following error:
    pfctl: ifa_load: pfi_get_ifaces: Bad file descriptor

    Google doesn't come up with anything, I've got no clue what that is. Any help?
    Pat Guest

  2. #2

    Default Re: Problem with PF

    Pat Maddox <com> writes:
     

    More info is required.

    Which FreeBSD and PF versions (not all permutations of pf and FreeBSD
    will work, see the handbook), pf relevant rc.conf lines, your pf.conf,
    ifconfig output
     

    Check your ruleset for obvious errors, such as trying to address a
    non-existent interface. Then again, this is guesswork based on very
    little information.

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  3. #3

    Default Re: Problem with PF

    FreeBSD 5.3-RELEASE-p5. I'm not sure how to check the pf version.

    I just started getting this error a couple days ago, and I've got
    absolutely no clue why. I don't recall making any significant changes
    to the box. Anyway, here's pf.conf:

    # ------- pf.conf skeleton for server
    #
    # --------------- MACRO Section -----------------

    EXT_IF="fxp0"

    PING = "echoreq"

    # --- allowed incoming services initiated by clients

    TCP_IN = "{ ssh, smtp, ftp, imap, http, 5001, 5002, 5003, 5004, 5005 }"
    UDP_IN = "{ domain }"

    # --- allowed services initiated by server

    TCP_OUT = "{ ssh, smtp, ftp, http, ntp, 5999 }"
    UDP_OUT = "{ domain, ntp }"

    # ------------------ TABLE Section --------------

    # ------------------ OPTIONS Section
    set loginterface $EXT_IF

    # --------- TRAFFIC NORMALIZATION ----------------
    scrub in all
    # ---------- TRANSLATION Section (NAT/RDR)

    # ---------- FILTER section

    # --- DEFAULT POLICY
    block log all

    # --- LOOPBACK
    pass quick on lo0 all

    # ======================= INCOMING ================
    # ----------- EXTERNAL INTERFACE

    # --- TCP
    pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
    $TCP_IN flags S/SA keep state

    # --- UDP
    pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
    $UDP_IN keep state

    # --- ICMP
    pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
    $PING keep state

    # ======================= OUTGOING ================
    # ----------- EXTERNAL INTERFACE

    # --- TCP
    pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
    $TCP_OUT flags S/SA keep state

    # --- UDP
    pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
    $UDP_OUT keep state

    # --- ICMP
    pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
    icmp-type $PING keep state

    # ----------------- end of pf.conf


    On Thu, 31 Mar 2005 12:31:13 +0200, Peter N. M. Hansteen
    <no> wrote: 
    >
    > More info is required.
    >
    > Which FreeBSD and PF versions (not all permutations of pf and FreeBSD
    > will work, see the handbook), pf relevant rc.conf lines, your pf.conf,
    > ifconfig output

    >
    > Check your ruleset for obvious errors, such as trying to address a
    > non-existent interface. Then again, this is guesswork based on very
    > little information.
    >
    > --
    > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
    >
    > _______________________________________________
    > org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to "org"
    >[/ref]
    Pat Guest

  4. #4

    Default Re: Problem with PF

    Sorry, I grabbed pf.conf from the wrong machine. I basically just
    copied the previous one, made the couple changes I needed. The real
    difference is that there's no UDP in, and not as many TCP ins are
    allowed:

    # ------- pf.conf skeleton for server
    #
    # --------------- MACRO Section -----------------

    EXT_IF="rl0"

    PING = "echoreq"

    # --- allowed incoming services initiated by clients

    TCP_IN = "{ ssh }"
    #UDP_IN = "{ }"

    # --- allowed services initiated by server

    TCP_OUT = "{ ssh, ftp, http, ntp, 5999 }"
    UDP_OUT = "{ domain, ntp }"

    # ------------------ TABLE Section --------------

    # ------------------ OPTIONS Section
    set loginterface $EXT_IF

    # --------- TRAFFIC NORMALIZATION ----------------
    scrub in all
    # ---------- TRANSLATION Section (NAT/RDR)

    # ---------- FILTER section

    # --- DEFAULT POLICY
    block log all

    # --- LOOPBACK
    pass quick on lo0 all

    # ======================= INCOMING ================
    # ----------- EXTERNAL INTERFACE

    # --- TCP
    pass in quick on $EXT_IF inet proto tcp from any to $EXT_IF port
    $TCP_IN flags S/SA keep state

    # --- UDP
    #pass in quick on $EXT_IF inet proto udp from any to $EXT_IF port
    $UDP_IN keep state

    # --- ICMP
    pass in quick on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type
    $PING keep state

    # ======================= OUTGOING ================
    # ----------- EXTERNAL INTERFACE

    # --- TCP
    pass out quick on $EXT_IF inet proto tcp from $EXT_IF to any port
    $TCP_OUT flags S/SA keep state

    # --- UDP
    pass out quick on $EXT_IF inet proto udp from $EXT_IF to any port
    $UDP_OUT keep state

    # --- ICMP
    pass out quick on $EXT_IF inet proto icmp from $EXT_IF to any
    icmp-type $PING keep state

    # ----------------- end of pf.conf



    On Thu, 31 Mar 2005 10:30:53 -0700, Pat Maddox <com> wrote: 
    > >
    > > More info is required.
    > >
    > > Which FreeBSD and PF versions (not all permutations of pf and FreeBSD
    > > will work, see the handbook), pf relevant rc.conf lines, your pf.conf,
    > > ifconfig output
    > > 
    > >
    > > Check your ruleset for obvious errors, such as trying to address a
    > > non-existent interface. Then again, this is guesswork based on very
    > > little information.
    > >
    > > --
    > > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    > > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    > > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
    > >
    > > _______________________________________________
    > > org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > > To unsubscribe, send any mail to "org"
    > >[/ref]
    >[/ref]
    Pat Guest

  5. #5

    Default Re: Problem with PF

    Pat Maddox <com> writes:
     

    One possible source of trouble is running pf from ports on 5.3-release
    or newer. That could happen if you were running, say, 5.2.something with
    the port, upgraded your system to 5.3 but left the port in place.
     

    That probably takes care of the incompatible port theory, then.
    Strange. The error message looks like the network interface has not
    been properly configured.

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

    Peter Guest

  6. #6

    Default Re: Problem with PF

    I found it out, just didn't have pf.ko loaded up.


    On Mar 31, 2005 11:50 PM, Peter N. M. Hansteen <no> wrote: 
    >
    > One possible source of trouble is running pf from ports on 5.3-release
    > or newer. That could happen if you were running, say, 5.2.something with
    > the port, upgraded your system to 5.3 but left the port in place.

    >
    > That probably takes care of the incompatible port theory, then.
    > Strange. The error message looks like the network interface has not
    > been properly configured.
    >
    > --
    > Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    > http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    > "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
    >
    > _______________________________________________
    > org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to "org"
    >[/ref]
    Pat Guest

Similar Threads

  1. contribute problem - access denied file may not existpermission problem
    By Al1973 in forum Macromedia Contribute Connection Administrtion
    Replies: 6
    Last Post: September 17th, 04:16 PM
  2. Replies: 0
    Last Post: August 23rd, 11:56 AM
  3. Replies: 0
    Last Post: August 2nd, 03:03 PM
  4. Replies: 2
    Last Post: July 17th, 07:27 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139