-
#1
Hello,
For the past 3 weeks I have been testing PF firewall and so far so good except for the rules not loading automatically on reboot.
I load the rules using pfctl -F all -f /etc/pf.conf and all works great.
I did change my default kernel to accomodate altq
I actually had to redo the kernel because I rebooted once after attempting to change
sysctl.conf
for congestion algorithm change to htcp using:
Code:
net.inet.tcp.cc.algorithm=htcpAnd when the system came back up, the
pf.conf
rules did not load and when I manually loaded them pf could not recognize the altq line saying that they were not defined for my interfaces but I am not sure how that is possible since they worked before.
So I suspected that the issue was messing with sysctl.conf
I proceeded to revert and delete the sysctl.conf entry
Rebooted and still the same issue, so I proceeded to redo the kernel for the altq options and it worked, kind of
I still have to manually load the firewall rules
The steps I followed to build the custom kernel where from the manual:
Code:
# cd /usr/src/sys/amd64/conf
# cp GENERIC MYKERNEL
set new kernel options to the bottom of custom kernel:
options ALTQ
options ALTQ_CBQ # Class Based Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)THEN
Code:
# cd /usr/src
# make buildkernel KERNCONF=MYKERNEL
# make installkernel KERNCONF=MYKERNEL
# rebootNot sure if I missed a step on the custom kernel.
I suspected the reason that rules were not loaded was because I did not specify the directory where the rules are stored, so I
added it to
/etc/rc.conf
:
Code:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"But that doesn’t seem to be the issue either, especially because the manual says that by default pf knows to go to /etc/pf.conf
I did also try this on a vm in virtualbox since my desktop was not behaving as expected.
I followed the same steps as above except for adding the rules path: pf_rules="/etc/pf.conf"
And it works. Rules automatically get populated.
More info on my physical desktop/FW/router, for guidance:
Code:
uname -a:
FreeBSD hostname12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 r369569 GENERIC amd64
altq rules:
#igb0 queue
altq on igb0 hfsc bandwidth 100Mb queue { one two three four }
queue one bandwidth 77% priority 10 qlimit 1000 hfsc (default)
queue two bandwidth 10% priority 9
queue three bandwidth 3% priority 1 hfsc (red)
queue four bandwidth 10% priority 0 hfsc (red)
#igb1 queue
altq on igb1 hfsc bandwidth 100Mb queue { five six seven }
queue five bandwidth 80% priority 10 qlimit 900 hfsc (default)
queue six bandwidth 7% priority 9 qlimit 200
queue seven bandwidth 5% priority 3Code:
#cat /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
kernel: ---<<BOOT>>---
kernel: Copyright (c) 1992-2020 The FreeBSD Project.
kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
kernel: The Regents of the University of California. All rights reserved.
kernel: FreeBSD is a registered trademark of The FreeBSD Foundation.
kernel: FreeBSD 12.2-RELEASE-p6 r369569 GENERIC amd64
-
#2
Do you have any DNS names (rather than dotted-decimal addresses) in your rules? This is a common reason for loading to fail at boot (before local_unbound is running) but succeed manually later.
-
Thread Starter
-
#3
Eric A. Borisch
LOL
I was just about to update this thread, when I saw your reply.
I thought about that 20 min ago and replaced my DNS entries for freebsd update, added the nslooked up addresses, and rebooted
Like magic it worked!!!
I have bind9 setup on my system and thought it was probably slow to start and pf is faster which would not allow the rules to load since I had DNS entries in my rules.
Thank you for your reply on this. Much appreciated!
-
#4
You don’t need a custom kernel to enable PF and ALTQ. And when you do create a custom kernel make sure to change the ident so it doesn’t look like you’re running a standard GENERIC kernel.
-
Thread Starter
-
#5
SirDice
Ah! I was following the handbook and man pages on the custom kernel for ALTQ.
PF did indeed work without any kernel modifications before I got curious about altq. I did add the pfsync device in the kernel since that did not come in the PF kernel module, maybe I am wrong about that too?
With regards to the custom kernel «ident» I realized after the 3rd attempt yesterday that maybe I should change it to make sure I don’t get confused on which is which.
Thanks for clarifying both points!
-
#6
maybe I should change it to make sure I don’t get confused on which is which.
Yes, the ident is shown in a uname -a output. If you post your output and we see a «GENERIC» we assume it’s the standard kernel, not a custom one. That could lead to all sorts of misunderstandings.
-
Thread Starter
-
#7
Not sure if I should open a new thread or continue this one since the altq issue is ongoing when I change sysctl.conf, please advise if I should open a new thread with the below contents, thank you.
After adding several settings in /etc/sysctl.conf:
Code:
net.inet.tcp.sendbuf_max=33554432
net.inet.tcp.recvbuf_max=33554432
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288
net.inet.tcp.hostcache.expire=1
net.inet.tcp.cc.algorithm=htcp
net.inet.tcp.cc.htcp.adaptive_backoff=1
net.inet.tcp.cc.htcp.rtt_scaling=1
net.inet.tcp.rfc6675_pipe=1
net.inet.tcp.minmss=536
net.inet.tcp.syncache.rexmtlimit=1
net.inet.tcp.abc_l_var=44
net.inet.tcp.initcwnd_segments=16
net.inet.tcp.tso=0
net.inet.ip.redirect=0
net.inet.tcp.always_keepalive=0
net.inet.sctp.blackhole=2
net.inet.tcp.blackhole=2
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.finwait2_timeout=5000
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.keepinit=5000
net.inet.tcp.msl=2500
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rexmit_slop=70
net.inet.udp.blackhole=1and /boot/loader.conf:
THEN reboot
Altq settings cause /etc/pf.conf do not get implemented at all
So the fix I have to do is either of 2 things:
Comment out the
and
lines
then all good:
Code:
# pfctl -F all -f /etc/pf.conf
rules cleared
nat cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags resetOR
Rebuild the kernel
After either of both changes all is working well.
Does changing /etc/sysctl.conf require rebuilding the kernel?
The ERRORS I get for /etc/pf.conf after changing /etc/sysctl.conf and then rebooting:
Code:
# pfctl -F all -f /etc/pf.conf
rules cleared
nat cleared
4 tables deleted.
284 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
altq not defined on igb0
altq not defined on igb0
/etc/pf.conf:18: errors in queue definition
altq not defined on igb0
/etc/pf.conf:19: errors in queue definition
altq not defined on igb0
/etc/pf.conf:20: errors in queue definition
pfctl: Syntax error in config file: pf rules not loadedwhen running
Code:
# pfctl -vnf /etc/pf.confI get no errors, the above errors are given when I run:
Code:
# pfctl -F all -f /etc/pf.confJust an FYI:
Code:
#uname -a
FreeBSD firewall 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 r369569 NETOPTIMIZED-PF amd64
-
#8
Does changing /etc/sysctl.conf require rebuilding the kernel?
No, all those settings can be set «on-the-fly» actually.
Can you post your
pf.conf
? I think the issue might just be some rule that’s causing it to fail when the system boots. But then applies fine when the system is done booting. Any DNS hostnames in the ruleset? Those might fail to load because it tries to apply them before DNS is actually working.
-
Thread Starter
-
#9
No, all those settings can be set «on-the-fly» actually.
Can you post your
pf.conf
? I think the issue might just be some rule that’s causing it to fail when the system boots. But then applies fine when the system is done booting. Any DNS hostnames in the ruleset? Those might fail to load because it tries to apply them before DNS is actually working.
On reboot after rebuilding the kernel that includes the sysctl.conf changes and kernel changes for altq everything is working now.
But it is cumbersome to have to rebuild the kernel everytime I change anything in sysctl.conf
When rebooting everything comes up the rules including the queues but that’s only after I rebuilt the kernel with the sysctl.conf changes.
No domain names in the rules, that was the first issue that was solved. I had the freebsd update domain names and that was the original problem. Not anymore after I put in the actual ip’s.
For the heck of it I rebooted several times and everything still works, i.e. PF, altq, new sysctl.conf settings, and DNS. I just hope not to have to change sysctl.conf again otherwise another 20 minutes building the kernel.
Here are the main parts of my rules.
Code:
#options
set skip on lo0
#traffic normalization
scrub in all fragment reassemble no-df random-id
#igb1
altq on igb1 hfsc bandwidth 100Mb queue { one two }
queue one bandwidth 77% priority 10 qlimit 1000 hfsc (default)
queue two bandwidth 3% priority 0 hfsc (red)
#igb2
altq on igb2 hfsc bandwidth 100Mb queue { three four }
queue three bandwidth 80% priority 10 qlimit 900 hfsc (default)
queue four bandwidth 7% priority 9 qlimit 200
#TRANSLATION TRANSLATION TRANSLATION - NAT RULES
nat on igb0 from 192.168.1.0/24 to any -> (igb0)
nat on igb0 from 10.0.0.0/24 to any -> (igb0)
pass out log quick on igb0 inet proto tcp from any to any port 443 keep state
pass out log quick on igb0 proto tcp from any to 96.47.72.71/32 port 80 keep state # pkg0.nyi.freebsd.org
pass out log quick on igb0 proto tcp from any to 163.237.247.16 port 80 keep state # update1.freebsd.org
pass out log quick on igb1 inet proto tcp from 192.168.1.0/24 to any port = ssh keep state queue two
pass out log quick on igb2 inet proto tcp from 10.0.0.0/24 to any port = ssh keep state queue four
antispoof log quick for igb0 inet
#Default Deny All
block in log (all) on igb0 all
Deleted member 30996
Guest
-
#10
You have an error that points out which lines but you don’t show the complete ruleset to count it down:
Code:
/etc/pf.conf:18: errors in queue definition
altq not defined on igb0
/etc/pf.conf:19: errors in queue definition
altq not defined on igb0
/etc/pf.conf:20: errors in queue definition
pfctl: Syntax error in config file: pf rules not loadedIt’s 3 lines in a row, for starts, so it has to be one of your queue blocks of rules, igb#1 or igb#2. Neither figure given equals 100% by observation, having never used queue in my rules.
Probably the first one and the second will throw an error if the syntax not adjusted to match next time you start it.
-
Thread Starter
-
#11
Hi Trihexagonal
Yes, I edited down because I have a long rule set. But the errors are the same.
I do want to clarify that the altq rules and subsequent pass block rules are working even when I reboot and no errors.
After rebooting they all populate everything is running I do not have to do any manual load of /etc/pf.conf
I only start to get errors when I add to /etc/sysctl.conf and thereafter reboot. When the system comes back up sysctl.conf takes effect but the PF rules do not get loaded and when I attempt to force load them I get the errors. To get rid of the errors I comment out the altq lines and then the other rules load without a problem. Seems like altq kernel portion is not loading since it does not recognize altq.
For some reason when I touch /etc/sysctl.conf my custom kernel does not load and instead the GENERIC kernel takes over with the new /etc/sysctl.conf config.
I am inclined to leave it as is and not touch /etc/sysctl.conf any more since I already did all my edits and verified with sysctl -a that the changes I made are active and also when I reboot my PF rules load automatically, all under the custom kernel and not GENERIC.
I am uploading the beginning fully for transparency.
Code:
#OPTIONS Leave loopback alone
set skip on lo0
#TRAFFIC NORMALIZATION
scrub in all fragment reassemble no-df random-id
#QUEUEING QUEUEING QUEUEING
#igb1 QUEUE
altq on igb1 hfsc bandwidth 100Mb queue { one two three four }
queue one bandwidth 77% priority 10 qlimit 1000 hfsc (default)
queue two bandwidth 10% priority 9
queue three bandwidth 3% priority 0 hfsc (red)
queue four bandwidth 10% priority 1 hfsc (red)
#igb2 QUEUE
altq on igb2 hfsc bandwidth 100Mb queue { five six seven }
queue five bandwidth 80% priority 10 qlimit 900 hfsc (default)
queue six bandwidth 7% priority 9 qlimit 200
queue seven bandwidth 5% priority 3Below is the ALTQ portion of pfctl -s all
Code:
ALTQ:
queue root_igb1 on igb1 bandwidth 100Mb priority 0 {one, two, three, four}
queue one on igb1 bandwidth 77Mb priority 10 qlimit 1000 hfsc( default )
queue two on igb1 bandwidth 10Mb priority 9
queue three on igb1 bandwidth 3Mb priority 0 hfsc( red )
queue four on igb1 bandwidth 10Mb hfsc( red )
queue root_igb2 on igb2 bandwidth 100Mb priority 0 {five, six, seven}
queue five on igb2 bandwidth 80Mb priority 10 qlimit 900 hfsc( default )
queue six on igb2 bandwidth 7Mb priority 9 qlimit 200
queue seven on igb2 bandwidth 5Mb priority 3Thanks!
Deleted member 30996
Guest
-
#12
Well you’ve got 18 lines there. The error points to Line 18, 19 and 20.
You can start counting anywhere you like, I usually start from the top down:
Code:
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any ###Line 18
block in from urpf-failed to any ###Line 19
block in quick on $ext_if from any to 255.255.255.255 ###Line 20
-
Thread Starter
-
#13
Well you’ve got 18 lines there. The error points to Line 18, 19 and 20.
You can start counting anywhere you like, I usually start from the top down:
Code:
### Macro name for external interface ext_if = "em0" netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }" netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }" ### Reassemble fragmented packets scrub in on $ext_if all fragment reassemble ### Default deny everything block log all ### Pass loopback set skip on lo0 ### Block spooks antispoof for lo0 antispoof for $ext_if inet block in from no-route to any ###Line 18 block in from urpf-failed to any ###Line 19 block in quick on $ext_if from any to 255.255.255.255 ###Line 20
The weirdest thing is that when I run
I get no errors and the configs above are running as I write this as evidenced by:
Code:
# pfctl -s queue -v
queue root_igb1 on igb1 bandwidth 100Mb priority 0 {one, two, three, four}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue one on igb1 bandwidth 77Mb priority 10 qlimit 1000 hfsc( default )
[ pkts: 6343050 bytes: 9098298370 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/1000 ]
queue two on igb1 bandwidth 10Mb priority 9
[ pkts: 588 bytes: 121584 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue three on igb1 bandwidth 3Mb priority 0 hfsc( red )
[ pkts: 6283528 bytes: 9014176858 dropped pkts: 103014 bytes: 154895664 ]
[ qlength: 0/ 50 ]
queue four on igb1 bandwidth 10Mb hfsc( red )
[ pkts: 584 bytes: 201480 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue root_igb2 on igb2 bandwidth 100Mb priority 0 {five, six, seven}
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]
queue five on igb2 bandwidth 80Mb priority 10 qlimit 900 hfsc( default )
[ pkts: 6487698 bytes: 9565743407 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/900 ]
queue six on igb2 bandwidth 7Mb priority 9 qlimit 200
[ pkts: 1450 bytes: 554706 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/200 ]
queue seven on igb2 bandwidth 5Mb priority 3
[ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 ]I’ll keep running some other tests and post any changes here, thanks!
-
Thread Starter
-
#14
I just tried editing /etc/sysctl.conf and rebooted. Everything is working still!
Not sure what was the problem, I didn’t edit my /etc/pf.conf config.
But as long as it is not a problem anymore, I will keep playing with /etc/pf.conf.
Thank you all!!!
Deleted member 30996
Guest
-
#15
Please try pfctl -s all so we can see exactly what it’s doing.
Here’s my full ruleset:
Code:
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp
### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
Then pfctl -s all
Code:
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.24 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state
STATES:
all tcp 192.168.1.24:47261 -> 192.0.73.2:443 ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:62401 -> 204.109.59.195:443 FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.24:60583 -> 52.10.189.118:443 ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:61897 -> 204.109.59.195:443 TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:57465 -> 52.85.79.57:443 ESTABLISHED:ESTABLISHED
INFO:
Status: Enabled for 9 days 11:48:56 Debug: Urgent
State Table Total Rate
current entries 5
searches 2585450 3.2/s
inserts 30946 0.0/s
removals 30941 0.0/s
Counters
match 63891 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 60000 states
adaptive.end 120000 states
src.track 0s
LIMITS:
states hard limit 100000
src-nodes hard limit 10000
frags hard limit 5000
table-entries hard limit 200000
OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #
-
Thread Starter
-
#16
I changed my public ip for security reasons but here is pfctl -s all
I do have to do some cleanup with macros and tables but that comes after.
Code:
# pfctl -s all
TRANSLATION RULES:
nat on igb0 inet from 192.168.1.0/24 to any -> (igb0) round-robin
nat on igb0 inet from 10.0.0.0/24 to any -> (igb0) round-robin
FILTER RULES:
scrub in all no-df random-id fragment reassemble
pass in log quick on igb1 inet proto udp from 10.0.0.21 port = ntp to 10.0.0.1 keep state
pass out log quick on igb0 inet proto tcp from any to <__automatic_be81f21c_0> port = domain flags S/SA keep state
pass out log quick on igb0 inet proto udp from any to <__automatic_be81f21c_1> port = domain keep state
pass in log quick on igb1 inet proto tcp from 10.0.0.0/24 to 1.1.1.1 port = domain flags S/SA keep state queue one
pass in log quick on igb1 inet proto udp from 10.0.0.0/24 to 1.1.1.1 port = domain keep state queue one
pass in log quick on igb2 inet proto udp from any to 1.1.1.1 port = domain keep state queue five
pass in log quick on igb2 inet proto udp from any to 8.8.8.8 port = domain keep state queue five
pass in log quick on igb2 inet proto tcp from any to 1.1.1.1 port = domain flags S/SA keep state queue five
pass out log quick on igb0 inet proto icmp all icmp-type echoreq keep state
pass in log on igb2 inet proto icmp all icmp-type echoreq keep state queue five
pass in log on igb1 inet proto icmp all icmp-type echoreq keep state queue one
pass out log quick on igb1 inet proto icmp all icmp-type echoreq keep state queue one
pass in log quick on igb0 inet proto icmp all icmp-type unreach keep state
pass in log quick on igb0 inet proto icmp all icmp-type timex keep state
pass out log quick on igb0 inet proto udp from any to any port = 3478 keep state
block drop in log quick on igb1 inet proto tcp from 10.0.0.17 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.18 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.19 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto udp from 10.0.0.17 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto udp from 10.0.0.18 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto udp from 10.0.0.19 to 10.0.0.0/24 queue four
pass in log quick on igb1 inet proto tcp from 10.0.0.17 to any port = https flags S/SA keep state queue three
pass in log quick on igb1 inet proto tcp from 10.0.0.18 to any port = https flags S/SA keep state queue three
pass in log quick on igb1 inet proto tcp from 10.0.0.19 to any port = https flags S/SA keep state queue three
pass in log quick on igb1 inet proto udp from 10.0.0.17 port = bootpc to 10.0.0.1 port = bootps keep state queue four
pass in log quick on igb1 inet proto udp from 10.0.0.18 port = bootpc to 10.0.0.1 port = bootps keep state queue four
pass in log quick on igb1 inet proto udp from 10.0.0.19 port = bootpc to 10.0.0.1 port = bootps keep state queue four
pass out log quick on igb1 inet proto udp from 10.0.0.1 port = bootps to 10.0.0.17 port = bootpc keep state queue four
pass out log quick on igb1 inet proto udp from 10.0.0.1 port = bootps to 10.0.0.18 port = bootpc keep state queue four
pass out log quick on igb1 inet proto udp from 10.0.0.1 port = bootps to 10.0.0.19 port = bootpc keep state queue four
pass out log quick on igb0 inet proto tcp from any to 96.47.72.71 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to 163.237.247.16 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to 204.15.11.117 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to 63.140.118.125 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to any port = https flags S/SA keep state
pass in log quick on igb2 proto tcp from any to any port = https flags S/SA keep state queue five
pass in log quick on igb1 inet proto tcp from 10.0.0.0/24 to any port = https flags S/SA keep state queue one
pass out log quick on igb1 inet proto tcp from 192.168.1.0/24 to any port = ssh flags S/SA keep state queue two
pass out log quick on igb1 inet proto tcp from 10.0.0.0/24 to any port = ssh flags S/SA keep state queue two
pass out log quick on igb0 proto tcp from any to any port = ssh flags S/SA keep state queue two
pass out log quick on igb2 inet proto tcp from 192.168.1.0/24 to any port = ssh flags S/SA keep state queue six
pass out log quick on igb2 inet proto tcp from 10.0.0.0/24 to any port = ssh flags S/SA keep state queue six
pass in log quick on igb1 proto tcp from any to any port = ssh flags S/SA keep state queue two
pass in log quick on igb2 proto tcp from any to any port = ssh flags S/SA keep state queue six
block drop in log quick on igb0 inet proto udp from any to any port = 3478
block drop in log quick on igb0 proto udp from any to any port = ntp
block drop in log quick on igb0 proto udp from any to any port = 3726
block drop in log quick on igb0 proto udp from any to any port = 3667
block drop in log quick on igb0 proto udp from any to any port = 3551
block drop in log quick on igb0 inet proto tcp from any to any port = auth
block drop in log quick on igb0 proto tcp from any to any port = 3726
block drop in log quick on igb0 proto tcp from any to any port = 3667
block drop in log quick on igb0 proto tcp from any to any port = 3551
block drop in log quick on igb0 inet proto icmp all icmp-type echoreq
block drop in log quick on igb1 inet proto udp from 10.0.0.17 port = ntp to any
block drop in log quick on igb1 inet proto udp from 10.0.0.18 port = ntp to any
block drop in log quick on igb1 inet proto udp from 10.0.0.19 port = ntp to any
block drop in log quick on igb1 inet proto icmp from any to 8.8.8.8 icmp-type echoreq
block drop in log quick on igb0 proto tcp from any to any port = ssh
block drop in log quick on igb1 inet proto tcp from 10.0.0.17 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.18 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.19 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.17 to any port = http queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.18 to any port = http queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.19 to any port = http queue four
block drop out log quick on igb2 inet proto icmp from 10.0.0.17 to any queue seven
block drop out log quick on igb2 inet proto icmp from 10.0.0.18 to any queue seven
block drop out log quick on igb2 inet proto icmp from 10.0.0.19 to any queue seven
block drop out log quick on igb1 inet proto icmp from 10.0.0.17 to any queue four
block drop out log quick on igb1 inet proto icmp from 10.0.0.18 to any queue four
block drop out log quick on igb1 inet proto icmp from 10.0.0.19 to any queue four
block drop in log quick on igb0 proto tcp from any to any port = http
block drop in log quick on igb0 proto tcp from any to any port = https
block drop out log quick on igb0 proto tcp from any port = 8080 to any
block drop in log quick on igb1 proto udp from any to any port = https queue four
block drop in log quick on igb0 inet proto tcp from any to any port = netbios-ns
block drop in log quick on igb0 inet proto tcp from any to any port = netbios-dgm
block drop in log quick on igb0 inet proto tcp from any to any port = netbios-ssn
block drop in log quick on igb0 inet proto udp from any to any port = netbios-ns
block drop in log quick on igb0 inet proto udp from any to any port = netbios-dgm
block drop in log quick on igb0 inet proto udp from any to any port = netbios-ssn
block drop in log quick on igb0 inet from 127.0.0.0/8 to any
block drop in log quick on igb0 inet from 192.168.0.0/16 to any
block drop in log quick on igb0 inet from 172.16.0.0/12 to any
block drop in log quick on igb0 inet from 10.0.0.0/8 to any
block drop in log quick on igb0 inet from 224.0.0.0/3 to any
block drop in log quick on igb0 proto tcp from any os "FreeBSD" to any
block drop in log quick on igb0 proto tcp from any os "OpenBSD" to any
block drop in log quick on igb0 proto tcp from any os "Linux" to any
block drop in log quick on igb0 proto tcp from any os "Windows" to any
block drop out log quick on igb0 inet from any to 127.0.0.0/8
block drop out log quick on igb0 inet from any to 192.168.0.0/16
block drop out log quick on igb0 inet from any to 172.16.0.0/12
block drop out log quick on igb0 inet from any to 10.0.0.0/8
block drop out log quick on igb0 inet from 224.0.0.0/3 to any
block drop in log quick on igb2 inet from 224.0.0.0/3 to any
block drop in log quick on igb1 inet from 224.0.0.0/3 to any
block drop in log quick on ! igb0 inet from ISPnet/24 to any
block drop in log quick inet from ISPip to any
block drop in log (all) on igb0 all
ALTQ:
queue root_igb1 on igb1 bandwidth 100Mb priority 0 {one, two, three, four}
queue one on igb1 bandwidth 77Mb priority 10 qlimit 1000 hfsc( default )
queue two on igb1 bandwidth 10Mb priority 9
queue three on igb1 bandwidth 3Mb priority 0 hfsc( red )
queue four on igb1 bandwidth 10Mb hfsc( red )
queue root_igb2 on igb2 bandwidth 100Mb priority 0 {five, six, seven}
queue five on igb2 bandwidth 80Mb priority 10 qlimit 900 hfsc( default )
queue six on igb2 bandwidth 7Mb priority 9 qlimit 200
queue seven on igb2 bandwidth 5Mb priority 3
STATES:
removed, I hit the character limit
INFO:
Status: Enabled for 0 days 01:29:07 Debug: Urgent
State Table Total Rate
current entries 607
searches 2229013 416.9/s
inserts 20948 3.9/s
removals 20341 3.8/s
Counters
match 247033 46.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 60000 states
adaptive.end 120000 states
src.track 0s
LIMITS:
states hard limit 100000
src-nodes hard limit 10000
frags hard limit 5000
table-entries hard limit 200000
TABLES:
__automatic_be81f21c_0
__automatic_be81f21c_1
OS FINGERPRINTS:
762 fingerprints loaded |
В последнее время участились попытки атаковать из интернета (чаще всего из китайского сегмента всемирной путины) вверенный мне сервер под управлением FreeBSD 10.0, выступающий одновременно как шлюзом внутренних сетей, так и площадкой для всевозможных интернет-сервисов. Это и обычный спам, и попытка коннектов (сканирование) на закрытые/открытые порты, и даже DoS (“ддосят” все, от почтового сервера до bind’а). Особой популярностью в данное время у доморощенных хакеров пользуются готовые наборы для попытки эксплуатации недавно обнаруженной бреши в bash. Для отражения таких поползновений мной используется пакетный фильтр PF, в конфигурационном файле которого указана таблица из внешнего файла, в который мной автоматически заносятся ip-адреса, с которых производились попытки действий деструктивного характера. |
Однако, сегодня, при попытке перечитать правила из конфигурационного файла для PF, выскочила следующая ошибка:
# pfctl -f /etc/pf.conf /etc/pf.conf:139: cannot define table spammers: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded
Правила для пакетного фильтра PF хранятся мной в файле /etc/rc.conf. Выяснить это можно так:
# less /etc/rc.conf | grep pf pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags=""
Вот кусок конфигурационного файла для PF, отвечающий за загрузку таблицы (в моем случае – spammers) из внешнего файла:
# less /etc/pf.conf | grep spammers table <spammers> persist file "/root/spammers" block in quick on $ext_if from <spammers> to $ext_addr
В файл /root/spammers автоматически заносятся ip-адреса. Каждой строке должен соответствовать один ip-адрес. Так вот, данный файл стал насчитывать более 100 000 строк:
# less /root/spammers | wc -l 101033
А в настройках по-умолчанию для PF таблица может быть как раз не более 100 000 строк (смотрим последнюю строчку вывода команды pfctl -s memory):
# pfctl -s memory states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 100000
Для того чтобы увеличить table-entries hard limit необходимо в конфигурационный файл PF внести следующее:
# nano -w /etc/pf.conf ... set limit table-entries 500000 ...
которая установит этот параметр в 500 000. Перезапустим пакетный фильтр PF и проверим результат:
# /etc/rc.d/pf restart Disabling pfpf disabled . Enabling pfpf enabled . # pfctl -s memory states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 500000
Желаемое достигнуто, больше ошибок при перечитке правил PF не возникло:
# pfctl -f /etc/pf.conf #
Hi, I am having trouble with the Traffic Shaper.
It worked well for a couple of days after creating my initial ruleset through the wizard. I made some modifications using the GUI and now have the following problems:
There were error(s) loading the rules:
/tmp/rules.debug:22: syntax error
/tmp/rules.debug:23: syntax error
/tmp/rules.debug:26: queue qwanRoot has no parent
/tmp/rules.debug:26: errors in queue definition
/tmp/rules.debug:27: queue qlanRoot has no parent
/tmp/rules.debug:27: errors in queue definition
/tmp/rules.debug:28: queue qwandef has no parent
/tmp/rules.debug:28: errors in queue definition
/tmp/rules.debug:29: queue qlandef has no parent
/tmp/rules.debug:29: errors in queue definition
/tmp/rules.debug:30: queue qwanacks has no parent
/tmp/rules.debug:30: errors in queue definition
/tmp/rules.debug:31: queue qlanacks has no parent
/tmp/rules.debug:31: errors in queue definition
/tmp/rules.debug:32: queue qVOIPUp has no parent
/tmp/rules.debug:32: errors in queue definition
/tmp/rules.debug:33: queue qVOIPDown has no parent
/tmp/rules.debug:33: errors in queue definition
/tmp/rules.debug:34: queue qP2PUp has no parent
/tmp/rules.debug:34: errors in queue definition
/tmp/rules.debug:35: queue qP2PDown has no parent
/tmp/rules.debug:35: errors in queue definition
/tmp/rules.debug:36: queue qGamesUp has no parent
/tmp/rules.debug:36: errors in queue definition
/tmp/rules.debug:37: queue qGamesDown has no parent
/tmp/rules.debug:37: errors in queue definition
/tmp/rules.debug:38: queue qOthersUpH has no parent
/tmp/rules.debug:38: errors in queue definition
/tmp/rules.debug:39: queue qOthersDownH has no parent
/tmp/rules.debug:39: errors in queue definition
/tmp/rules.debug:40: queue qOthersUpL has no parent
/tmp/rules.debug:40: errors in queue definition
/tmp/rules.debug:41: queue qOthersDownL has no parent
/tmp/rules.debug:41: errors in queue definition pfctl:
Syntax error in config file: pf rules not loaded —
The line in question reads [22]: altq on fxp0 hfsc bandwidth queue { qwanRoot qlanRoot }…
I also notice that some of the items selected during the wizard do not appear in the completed rules list, most notably the penalised IP option and I also do not see any rules for ACKs.
I am using pfSense 1.2.1