Syntax error in config file pf rules not loaded

Hello, For the past 3 weeks I have been testing PF firewall and so far so good except for the rules not loading automatically on reboot. I load the rules using pfctl -F all -f /etc/pf.conf and all works great. I did change my default kernel to accomodate altq I actually had to redo the kernel...

  • #1

Hello,

For the past 3 weeks I have been testing PF firewall and so far so good except for the rules not loading automatically on reboot.
I load the rules using pfctl -F all -f /etc/pf.conf and all works great.
I did change my default kernel to accomodate altq

I actually had to redo the kernel because I rebooted once after attempting to change

sysctl.conf

for congestion algorithm change to htcp using:

Code:

net.inet.tcp.cc.algorithm=htcp

And when the system came back up, the

pf.conf

rules did not load and when I manually loaded them pf could not recognize the altq line saying that they were not defined for my interfaces but I am not sure how that is possible since they worked before.
So I suspected that the issue was messing with sysctl.conf
I proceeded to revert and delete the sysctl.conf entry
Rebooted and still the same issue, so I proceeded to redo the kernel for the altq options and it worked, kind of
I still have to manually load the firewall rules
The steps I followed to build the custom kernel where from the manual:

Code:

# cd /usr/src/sys/amd64/conf
# cp GENERIC MYKERNEL
set new kernel options to the bottom of custom kernel:
options         ALTQ
options         ALTQ_CBQ        # Class Based Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)

THEN

Code:

# cd /usr/src
# make buildkernel KERNCONF=MYKERNEL
# make installkernel KERNCONF=MYKERNEL
# reboot

Not sure if I missed a step on the custom kernel.

I suspected the reason that rules were not loaded was because I did not specify the directory where the rules are stored, so I
added it to

/etc/rc.conf

:

Code:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

But that doesn’t seem to be the issue either, especially because the manual says that by default pf knows to go to /etc/pf.conf

I did also try this on a vm in virtualbox since my desktop was not behaving as expected.
I followed the same steps as above except for adding the rules path: pf_rules="/etc/pf.conf"
And it works. Rules automatically get populated.

More info on my physical desktop/FW/router, for guidance:

Code:

uname -a:
FreeBSD hostname12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 r369569 GENERIC  amd64
altq rules:
#igb0 queue
altq on igb0 hfsc bandwidth 100Mb queue { one two three four }
queue one bandwidth 77% priority 10 qlimit 1000 hfsc (default)
queue two bandwidth 10% priority 9
queue three bandwidth 3% priority 1 hfsc (red)
queue four bandwidth 10% priority 0 hfsc (red)
#igb1 queue
altq on igb1 hfsc bandwidth 100Mb queue { five six seven }
queue five bandwidth 80% priority 10 qlimit 900 hfsc (default)
queue six bandwidth 7% priority 9 qlimit 200
queue seven bandwidth 5% priority 3

Code:

#cat /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
kernel: ---<<BOOT>>---
kernel: Copyright (c) 1992-2020 The FreeBSD Project.
kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
kernel:        The Regents of the University of California. All rights reserved.
kernel: FreeBSD is a registered trademark of The FreeBSD Foundation.
kernel: FreeBSD 12.2-RELEASE-p6 r369569 GENERIC amd64

  • #2

Do you have any DNS names (rather than dotted-decimal addresses) in your rules? This is a common reason for loading to fail at boot (before local_unbound is running) but succeed manually later.

  • Thread Starter

  • #3

Eric A. Borisch
LOL
I was just about to update this thread, when I saw your reply.

I thought about that 20 min ago and replaced my DNS entries for freebsd update, added the nslooked up addresses, and rebooted
Like magic it worked!!!

I have bind9 setup on my system and thought it was probably slow to start and pf is faster which would not allow the rules to load since I had DNS entries in my rules.

Thank you for your reply on this. Much appreciated!

SirDice


  • #4

You don’t need a custom kernel to enable PF and ALTQ. And when you do create a custom kernel make sure to change the ident so it doesn’t look like you’re running a standard GENERIC kernel.

  • Thread Starter

  • #5

SirDice
Ah! I was following the handbook and man pages on the custom kernel for ALTQ.
PF did indeed work without any kernel modifications before I got curious about altq. I did add the pfsync device in the kernel since that did not come in the PF kernel module, maybe I am wrong about that too?
With regards to the custom kernel «ident» I realized after the 3rd attempt yesterday that maybe I should change it to make sure I don’t get confused on which is which.
Thanks for clarifying both points!

SirDice


  • #6

maybe I should change it to make sure I don’t get confused on which is which.

Yes, the ident is shown in a uname -a output. If you post your output and we see a «GENERIC» we assume it’s the standard kernel, not a custom one. That could lead to all sorts of misunderstandings.

  • Thread Starter

  • #7

Not sure if I should open a new thread or continue this one since the altq issue is ongoing when I change sysctl.conf, please advise if I should open a new thread with the below contents, thank you.

After adding several settings in /etc/sysctl.conf:

Code:

net.inet.tcp.sendbuf_max=33554432
net.inet.tcp.recvbuf_max=33554432
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
net.inet.tcp.recvbuf_inc=524288
net.inet.tcp.hostcache.expire=1
net.inet.tcp.cc.algorithm=htcp
net.inet.tcp.cc.htcp.adaptive_backoff=1
net.inet.tcp.cc.htcp.rtt_scaling=1
net.inet.tcp.rfc6675_pipe=1
net.inet.tcp.minmss=536
net.inet.tcp.syncache.rexmtlimit=1
net.inet.tcp.abc_l_var=44
net.inet.tcp.initcwnd_segments=16
net.inet.tcp.tso=0
net.inet.ip.redirect=0
net.inet.tcp.always_keepalive=0
net.inet.sctp.blackhole=2
net.inet.tcp.blackhole=2
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.finwait2_timeout=5000
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.keepinit=5000
net.inet.tcp.msl=2500
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rexmit_slop=70
net.inet.udp.blackhole=1

and /boot/loader.conf:

THEN reboot

Altq settings cause /etc/pf.conf do not get implemented at all

So the fix I have to do is either of 2 things:
Comment out the

and

lines
then all good:

Code:

# pfctl -F all -f /etc/pf.conf
rules cleared
nat cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset

OR

Rebuild the kernel

After either of both changes all is working well.

Does changing /etc/sysctl.conf require rebuilding the kernel?

The ERRORS I get for /etc/pf.conf after changing /etc/sysctl.conf and then rebooting:

Code:

# pfctl -F all -f /etc/pf.conf
rules cleared
nat cleared
4 tables deleted.
284 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
altq not defined on igb0
altq not defined on igb0
/etc/pf.conf:18: errors in queue definition
altq not defined on igb0
/etc/pf.conf:19: errors in queue definition
altq not defined on igb0
/etc/pf.conf:20: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded

when running

Code:

# pfctl -vnf /etc/pf.conf

I get no errors, the above errors are given when I run:

Code:

# pfctl -F all -f /etc/pf.conf

Just an FYI:

Code:

#uname -a
FreeBSD firewall 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 r369569 NETOPTIMIZED-PF  amd64

SirDice


  • #8

Does changing /etc/sysctl.conf require rebuilding the kernel?

No, all those settings can be set «on-the-fly» actually.

Can you post your

pf.conf

? I think the issue might just be some rule that’s causing it to fail when the system boots. But then applies fine when the system is done booting. Any DNS hostnames in the ruleset? Those might fail to load because it tries to apply them before DNS is actually working.

  • Thread Starter

  • #9

No, all those settings can be set «on-the-fly» actually.

Can you post your

pf.conf

? I think the issue might just be some rule that’s causing it to fail when the system boots. But then applies fine when the system is done booting. Any DNS hostnames in the ruleset? Those might fail to load because it tries to apply them before DNS is actually working.

On reboot after rebuilding the kernel that includes the sysctl.conf changes and kernel changes for altq everything is working now.
But it is cumbersome to have to rebuild the kernel everytime I change anything in sysctl.conf
When rebooting everything comes up the rules including the queues but that’s only after I rebuilt the kernel with the sysctl.conf changes.

No domain names in the rules, that was the first issue that was solved. I had the freebsd update domain names and that was the original problem. Not anymore after I put in the actual ip’s.

For the heck of it I rebooted several times and everything still works, i.e. PF, altq, new sysctl.conf settings, and DNS. I just hope not to have to change sysctl.conf again otherwise another 20 minutes building the kernel.

Here are the main parts of my rules.

Code:

#options
set skip on lo0

#traffic normalization
scrub in all fragment reassemble no-df random-id

#igb1
altq on igb1 hfsc bandwidth 100Mb queue { one two }
queue one bandwidth 77% priority 10 qlimit 1000 hfsc (default)
queue two bandwidth 3% priority 0 hfsc (red)

#igb2
altq on igb2 hfsc bandwidth 100Mb queue { three four }
queue three bandwidth 80% priority 10 qlimit 900 hfsc (default)
queue four bandwidth 7% priority 9 qlimit 200


#TRANSLATION TRANSLATION TRANSLATION - NAT RULES
nat on igb0 from 192.168.1.0/24 to any -> (igb0)
nat on igb0 from 10.0.0.0/24 to any -> (igb0)

pass out log quick on igb0 inet proto tcp from any to any port 443 keep state
pass out log quick on igb0 proto tcp from any to 96.47.72.71/32 port 80 keep state # pkg0.nyi.freebsd.org
pass out log quick on igb0 proto tcp from any to 163.237.247.16 port 80 keep state # update1.freebsd.org

pass out log quick on igb1 inet proto tcp from 192.168.1.0/24 to any port = ssh keep state queue two
pass out log quick on igb2 inet proto tcp from 10.0.0.0/24 to any port = ssh keep state queue four


antispoof log quick for igb0 inet

#Default Deny All
block in log (all) on igb0 all

Deleted member 30996

Guest


  • #10

You have an error that points out which lines but you don’t show the complete ruleset to count it down:

Code:

/etc/pf.conf:18: errors in queue definition
altq not defined on igb0
/etc/pf.conf:19: errors in queue definition
altq not defined on igb0
/etc/pf.conf:20: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded

It’s 3 lines in a row, for starts, so it has to be one of your queue blocks of rules, igb#1 or igb#2. Neither figure given equals 100% by observation, having never used queue in my rules.

Probably the first one and the second will throw an error if the syntax not adjusted to match next time you start it.

  • Thread Starter

  • #11

Hi Trihexagonal
Yes, I edited down because I have a long rule set. But the errors are the same.

I do want to clarify that the altq rules and subsequent pass block rules are working even when I reboot and no errors.
After rebooting they all populate everything is running I do not have to do any manual load of /etc/pf.conf

I only start to get errors when I add to /etc/sysctl.conf and thereafter reboot. When the system comes back up sysctl.conf takes effect but the PF rules do not get loaded and when I attempt to force load them I get the errors. To get rid of the errors I comment out the altq lines and then the other rules load without a problem. Seems like altq kernel portion is not loading since it does not recognize altq.

For some reason when I touch /etc/sysctl.conf my custom kernel does not load and instead the GENERIC kernel takes over with the new /etc/sysctl.conf config.

I am inclined to leave it as is and not touch /etc/sysctl.conf any more since I already did all my edits and verified with sysctl -a that the changes I made are active and also when I reboot my PF rules load automatically, all under the custom kernel and not GENERIC.

I am uploading the beginning fully for transparency.

Code:

#OPTIONS Leave loopback alone
set skip on lo0

#TRAFFIC NORMALIZATION
scrub in all fragment reassemble no-df random-id

#QUEUEING QUEUEING QUEUEING
#igb1 QUEUE
altq on igb1 hfsc bandwidth 100Mb queue { one two three four }
queue one bandwidth 77% priority 10 qlimit 1000 hfsc (default)
queue two bandwidth 10% priority 9
queue three bandwidth 3% priority 0 hfsc (red)
queue four bandwidth 10% priority 1 hfsc (red)
#igb2 QUEUE
altq on igb2 hfsc bandwidth 100Mb queue { five six seven }
queue five bandwidth 80% priority 10 qlimit 900 hfsc (default)
queue six bandwidth 7% priority 9 qlimit 200
queue seven bandwidth 5% priority 3

Below is the ALTQ portion of pfctl -s all

Code:

ALTQ:
queue root_igb1 on igb1 bandwidth 100Mb priority 0 {one, two, three, four}
queue  one on igb1 bandwidth 77Mb priority 10 qlimit 1000 hfsc( default )
queue  two on igb1 bandwidth 10Mb priority 9
queue  three on igb1 bandwidth 3Mb priority 0 hfsc( red )
queue  four on igb1 bandwidth 10Mb hfsc( red )
queue root_igb2 on igb2 bandwidth 100Mb priority 0 {five, six, seven}
queue  five on igb2 bandwidth 80Mb priority 10 qlimit 900 hfsc( default )
queue  six on igb2 bandwidth 7Mb priority 9 qlimit 200
queue  seven on igb2 bandwidth 5Mb priority 3

Thanks!

Deleted member 30996

Guest


  • #12

Well you’ve got 18 lines there. The error points to Line 18, 19 and 20.

You can start counting anywhere you like, I usually start from the top down:

Code:

### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any ###Line 18
block in from urpf-failed to any ###Line 19
block in quick on $ext_if from any to 255.255.255.255 ###Line 20

  • Thread Starter

  • #13

Well you’ve got 18 lines there. The error points to Line 18, 19 and 20.

You can start counting anywhere you like, I usually start from the top down:

Code:

### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any ###Line 18
block in from urpf-failed to any ###Line 19
block in quick on $ext_if from any to 255.255.255.255 ###Line 20

The weirdest thing is that when I run

I get no errors and the configs above are running as I write this as evidenced by:

Code:

# pfctl -s queue -v
queue root_igb1 on igb1 bandwidth 100Mb priority 0 {one, two, three, four}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  one on igb1 bandwidth 77Mb priority 10 qlimit 1000 hfsc( default )
  [ pkts:    6343050  bytes: 9098298370  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/1000 ]
queue  two on igb1 bandwidth 10Mb priority 9
  [ pkts:        588  bytes:     121584  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  three on igb1 bandwidth 3Mb priority 0 hfsc( red )
  [ pkts:    6283528  bytes: 9014176858  dropped pkts: 103014 bytes: 154895664 ]
  [ qlength:   0/ 50 ]
queue  four on igb1 bandwidth 10Mb hfsc( red )
  [ pkts:        584  bytes:     201480  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue root_igb2 on igb2 bandwidth 100Mb priority 0 {five, six, seven}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue  five on igb2 bandwidth 80Mb priority 10 qlimit 900 hfsc( default )
  [ pkts:    6487698  bytes: 9565743407  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/900 ]
queue  six on igb2 bandwidth 7Mb priority 9 qlimit 200
  [ pkts:       1450  bytes:     554706  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/200 ]
queue  seven on igb2 bandwidth 5Mb priority 3
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]

I’ll keep running some other tests and post any changes here, thanks!

  • Thread Starter

  • #14

I just tried editing /etc/sysctl.conf and rebooted. Everything is working still!
Not sure what was the problem, I didn’t edit my /etc/pf.conf config.
But as long as it is not a problem anymore, I will keep playing with /etc/pf.conf.

Thank you all!!!

Deleted member 30996

Guest


  • #15

Please try pfctl -s all so we can see exactly what it’s doing.

Here’s my full ruleset:

Code:

### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

Then pfctl -s all

Code:

root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.24 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.24:47261 -> 192.0.73.2:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:62401 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.24:60583 -> 52.10.189.118:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.24:61897 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.24:57465 -> 52.85.79.57:443       ESTABLISHED:ESTABLISHED

INFO:
Status: Enabled for 9 days 11:48:56           Debug: Urgent

State Table                          Total             Rate
  current entries                        5               
  searches                         2585450            3.2/s
  inserts                            30946            0.0/s
  removals                           30941            0.0/s
Counters
  match                              63891            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #

  • Thread Starter

  • #16

I changed my public ip for security reasons but here is pfctl -s all

I do have to do some cleanup with macros and tables but that comes after.

Code:

# pfctl -s all
TRANSLATION RULES:
nat on igb0 inet from 192.168.1.0/24 to any -> (igb0) round-robin
nat on igb0 inet from 10.0.0.0/24 to any -> (igb0) round-robin

FILTER RULES:
scrub in all no-df random-id fragment reassemble
pass in log quick on igb1 inet proto udp from 10.0.0.21 port = ntp to 10.0.0.1 keep state
pass out log quick on igb0 inet proto tcp from any to <__automatic_be81f21c_0> port = domain flags S/SA keep state
pass out log quick on igb0 inet proto udp from any to <__automatic_be81f21c_1> port = domain keep state
pass in log quick on igb1 inet proto tcp from 10.0.0.0/24 to 1.1.1.1 port = domain flags S/SA keep state queue one
pass in log quick on igb1 inet proto udp from 10.0.0.0/24 to 1.1.1.1 port = domain keep state queue one
pass in log quick on igb2 inet proto udp from any to 1.1.1.1 port = domain keep state queue five
pass in log quick on igb2 inet proto udp from any to 8.8.8.8 port = domain keep state queue five
pass in log quick on igb2 inet proto tcp from any to 1.1.1.1 port = domain flags S/SA keep state queue five
pass out log quick on igb0 inet proto icmp all icmp-type echoreq keep state
pass in log on igb2 inet proto icmp all icmp-type echoreq keep state queue five
pass in log on igb1 inet proto icmp all icmp-type echoreq keep state queue one
pass out log quick on igb1 inet proto icmp all icmp-type echoreq keep state queue one
pass in log quick on igb0 inet proto icmp all icmp-type unreach keep state
pass in log quick on igb0 inet proto icmp all icmp-type timex keep state
pass out log quick on igb0 inet proto udp from any to any port = 3478 keep state
block drop in log quick on igb1 inet proto tcp from 10.0.0.17 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.18 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.19 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto udp from 10.0.0.17 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto udp from 10.0.0.18 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto udp from 10.0.0.19 to 10.0.0.0/24 queue four
pass in log quick on igb1 inet proto tcp from 10.0.0.17 to any port = https flags S/SA keep state queue three
pass in log quick on igb1 inet proto tcp from 10.0.0.18 to any port = https flags S/SA keep state queue three
pass in log quick on igb1 inet proto tcp from 10.0.0.19 to any port = https flags S/SA keep state queue three
pass in log quick on igb1 inet proto udp from 10.0.0.17 port = bootpc to 10.0.0.1 port = bootps keep state queue four
pass in log quick on igb1 inet proto udp from 10.0.0.18 port = bootpc to 10.0.0.1 port = bootps keep state queue four
pass in log quick on igb1 inet proto udp from 10.0.0.19 port = bootpc to 10.0.0.1 port = bootps keep state queue four
pass out log quick on igb1 inet proto udp from 10.0.0.1 port = bootps to 10.0.0.17 port = bootpc keep state queue four
pass out log quick on igb1 inet proto udp from 10.0.0.1 port = bootps to 10.0.0.18 port = bootpc keep state queue four
pass out log quick on igb1 inet proto udp from 10.0.0.1 port = bootps to 10.0.0.19 port = bootpc keep state queue four
pass out log quick on igb0 inet proto tcp from any to 96.47.72.71 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to 163.237.247.16 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to 204.15.11.117 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to 63.140.118.125 port = http flags S/SA keep state
pass out log quick on igb0 inet proto tcp from any to any port = https flags S/SA keep state
pass in log quick on igb2 proto tcp from any to any port = https flags S/SA keep state queue five
pass in log quick on igb1 inet proto tcp from 10.0.0.0/24 to any port = https flags S/SA keep state queue one
pass out log quick on igb1 inet proto tcp from 192.168.1.0/24 to any port = ssh flags S/SA keep state queue two
pass out log quick on igb1 inet proto tcp from 10.0.0.0/24 to any port = ssh flags S/SA keep state queue two
pass out log quick on igb0 proto tcp from any to any port = ssh flags S/SA keep state queue two
pass out log quick on igb2 inet proto tcp from 192.168.1.0/24 to any port = ssh flags S/SA keep state queue six
pass out log quick on igb2 inet proto tcp from 10.0.0.0/24 to any port = ssh flags S/SA keep state queue six
pass in log quick on igb1 proto tcp from any to any port = ssh flags S/SA keep state queue two
pass in log quick on igb2 proto tcp from any to any port = ssh flags S/SA keep state queue six
block drop in log quick on igb0 inet proto udp from any to any port = 3478
block drop in log quick on igb0 proto udp from any to any port = ntp
block drop in log quick on igb0 proto udp from any to any port = 3726
block drop in log quick on igb0 proto udp from any to any port = 3667
block drop in log quick on igb0 proto udp from any to any port = 3551
block drop in log quick on igb0 inet proto tcp from any to any port = auth
block drop in log quick on igb0 proto tcp from any to any port = 3726
block drop in log quick on igb0 proto tcp from any to any port = 3667
block drop in log quick on igb0 proto tcp from any to any port = 3551
block drop in log quick on igb0 inet proto icmp all icmp-type echoreq
block drop in log quick on igb1 inet proto udp from 10.0.0.17 port = ntp to any
block drop in log quick on igb1 inet proto udp from 10.0.0.18 port = ntp to any
block drop in log quick on igb1 inet proto udp from 10.0.0.19 port = ntp to any
block drop in log quick on igb1 inet proto icmp from any to 8.8.8.8 icmp-type echoreq
block drop in log quick on igb0 proto tcp from any to any port = ssh
block drop in log quick on igb1 inet proto tcp from 10.0.0.17 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.18 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.19 to 10.0.0.0/24 queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.17 to any port = http queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.18 to any port = http queue four
block drop in log quick on igb1 inet proto tcp from 10.0.0.19 to any port = http queue four
block drop out log quick on igb2 inet proto icmp from 10.0.0.17 to any queue seven
block drop out log quick on igb2 inet proto icmp from 10.0.0.18 to any queue seven
block drop out log quick on igb2 inet proto icmp from 10.0.0.19 to any queue seven
block drop out log quick on igb1 inet proto icmp from 10.0.0.17 to any queue four
block drop out log quick on igb1 inet proto icmp from 10.0.0.18 to any queue four
block drop out log quick on igb1 inet proto icmp from 10.0.0.19 to any queue four
block drop in log quick on igb0 proto tcp from any to any port = http
block drop in log quick on igb0 proto tcp from any to any port = https
block drop out log quick on igb0 proto tcp from any port = 8080 to any
block drop in log quick on igb1 proto udp from any to any port = https queue four
block drop in log quick on igb0 inet proto tcp from any to any port = netbios-ns
block drop in log quick on igb0 inet proto tcp from any to any port = netbios-dgm
block drop in log quick on igb0 inet proto tcp from any to any port = netbios-ssn
block drop in log quick on igb0 inet proto udp from any to any port = netbios-ns
block drop in log quick on igb0 inet proto udp from any to any port = netbios-dgm
block drop in log quick on igb0 inet proto udp from any to any port = netbios-ssn
block drop in log quick on igb0 inet from 127.0.0.0/8 to any
block drop in log quick on igb0 inet from 192.168.0.0/16 to any
block drop in log quick on igb0 inet from 172.16.0.0/12 to any
block drop in log quick on igb0 inet from 10.0.0.0/8 to any
block drop in log quick on igb0 inet from 224.0.0.0/3 to any
block drop in log quick on igb0 proto tcp from any os "FreeBSD" to any
block drop in log quick on igb0 proto tcp from any os "OpenBSD" to any
block drop in log quick on igb0 proto tcp from any os "Linux" to any
block drop in log quick on igb0 proto tcp from any os "Windows" to any
block drop out log quick on igb0 inet from any to 127.0.0.0/8
block drop out log quick on igb0 inet from any to 192.168.0.0/16
block drop out log quick on igb0 inet from any to 172.16.0.0/12
block drop out log quick on igb0 inet from any to 10.0.0.0/8
block drop out log quick on igb0 inet from 224.0.0.0/3 to any
block drop in log quick on igb2 inet from 224.0.0.0/3 to any
block drop in log quick on igb1 inet from 224.0.0.0/3 to any
block drop in log quick on ! igb0 inet from ISPnet/24 to any
block drop in log quick inet from ISPip to any
block drop in log (all) on igb0 all

ALTQ:
queue root_igb1 on igb1 bandwidth 100Mb priority 0 {one, two, three, four}
queue  one on igb1 bandwidth 77Mb priority 10 qlimit 1000 hfsc( default )
queue  two on igb1 bandwidth 10Mb priority 9
queue  three on igb1 bandwidth 3Mb priority 0 hfsc( red )
queue  four on igb1 bandwidth 10Mb hfsc( red )
queue root_igb2 on igb2 bandwidth 100Mb priority 0 {five, six, seven}
queue  five on igb2 bandwidth 80Mb priority 10 qlimit 900 hfsc( default )
queue  six on igb2 bandwidth 7Mb priority 9 qlimit 200
queue  seven on igb2 bandwidth 5Mb priority 3

STATES:
removed, I hit the character limit

INFO:
Status: Enabled for 0 days 01:29:07           Debug: Urgent

State Table                          Total             Rate
  current entries                      607
  searches                         2229013          416.9/s
  inserts                            20948            3.9/s
  removals                           20341            3.8/s
Counters
  match                             247033           46.2/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

TABLES:
__automatic_be81f21c_0
__automatic_be81f21c_1

OS FINGERPRINTS:
762 fingerprints loaded

FreeBSD logo В последнее время участились попытки атаковать из интернета (чаще всего из китайского сегмента всемирной путины) вверенный мне сервер под управлением FreeBSD 10.0, выступающий одновременно как шлюзом внутренних сетей, так и площадкой для всевозможных интернет-сервисов. Это и обычный спам, и попытка коннектов (сканирование) на закрытые/открытые порты, и даже DoS (“ддосят” все, от почтового сервера до bind’а). Особой популярностью в данное время у доморощенных хакеров пользуются готовые наборы для попытки эксплуатации недавно обнаруженной бреши в bash. Для отражения таких поползновений мной используется пакетный фильтр PF, в конфигурационном файле которого указана таблица из внешнего файла, в который мной автоматически заносятся ip-адреса, с которых производились попытки действий деструктивного характера.

Однако, сегодня, при попытке перечитать правила из конфигурационного файла для PF, выскочила следующая ошибка:

# pfctl -f /etc/pf.conf
/etc/pf.conf:139: cannot define table spammers: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded

Правила для пакетного фильтра PF хранятся мной в файле /etc/rc.conf. Выяснить это можно так:

# less /etc/rc.conf | grep pf
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

Вот кусок конфигурационного файла для PF, отвечающий за загрузку таблицы (в моем случае – spammers) из внешнего файла:

# less /etc/pf.conf | grep spammers
table <spammers> persist file "/root/spammers"
block in quick on $ext_if from <spammers> to $ext_addr

В файл /root/spammers автоматически заносятся ip-адреса. Каждой строке должен соответствовать один ip-адрес. Так вот, данный файл стал насчитывать более 100 000 строк:

# less /root/spammers | wc -l
  101033

А в настройках по-умолчанию для PF таблица может быть как раз не более 100 000 строк (смотрим последнюю строчку вывода команды pfctl -s memory):

# pfctl -s memory
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   100000

Для того чтобы увеличить table-entries hard limit необходимо в конфигурационный файл PF внести следующее:

# nano -w /etc/pf.conf
...
set limit table-entries 500000
...

которая установит этот параметр в 500 000. Перезапустим пакетный фильтр PF и проверим результат:

# /etc/rc.d/pf restart
Disabling pfpf disabled
.
Enabling pfpf enabled
.
# pfctl -s memory
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   500000

Желаемое достигнуто, больше ошибок при перечитке правил PF не возникло:

 # pfctl -f /etc/pf.conf
 #

Hi, I am having trouble with the Traffic Shaper.
It worked well for a couple of days after creating my initial ruleset through the wizard.  I made some modifications using the GUI and now have the following problems:
There were error(s) loading the rules:
/tmp/rules.debug:22: syntax error
/tmp/rules.debug:23: syntax error
/tmp/rules.debug:26: queue qwanRoot has no parent
/tmp/rules.debug:26: errors in queue definition
/tmp/rules.debug:27: queue qlanRoot has no parent
/tmp/rules.debug:27: errors in queue definition
/tmp/rules.debug:28: queue qwandef has no parent
/tmp/rules.debug:28: errors in queue definition
/tmp/rules.debug:29: queue qlandef has no parent
/tmp/rules.debug:29: errors in queue definition
/tmp/rules.debug:30: queue qwanacks has no parent
/tmp/rules.debug:30: errors in queue definition
/tmp/rules.debug:31: queue qlanacks has no parent
/tmp/rules.debug:31: errors in queue definition
/tmp/rules.debug:32: queue qVOIPUp has no parent
/tmp/rules.debug:32: errors in queue definition
/tmp/rules.debug:33: queue qVOIPDown has no parent
/tmp/rules.debug:33: errors in queue definition
/tmp/rules.debug:34: queue qP2PUp has no parent
/tmp/rules.debug:34: errors in queue definition
/tmp/rules.debug:35: queue qP2PDown has no parent
/tmp/rules.debug:35: errors in queue definition
/tmp/rules.debug:36: queue qGamesUp has no parent
/tmp/rules.debug:36: errors in queue definition
/tmp/rules.debug:37: queue qGamesDown has no parent
/tmp/rules.debug:37: errors in queue definition
/tmp/rules.debug:38: queue qOthersUpH has no parent
/tmp/rules.debug:38: errors in queue definition
/tmp/rules.debug:39: queue qOthersDownH has no parent
/tmp/rules.debug:39: errors in queue definition
/tmp/rules.debug:40: queue qOthersUpL has no parent
/tmp/rules.debug:40: errors in queue definition
/tmp/rules.debug:41: queue qOthersDownL has no parent
/tmp/rules.debug:41: errors in queue definition pfctl:
Syntax error in config file: pf rules not loaded —
The line in question reads [22]: altq on fxp0 hfsc bandwidth queue { qwanRoot qlanRoot }…

I also notice that some of the items selected during the wizard do not appear in the completed rules list, most notably the penalised IP option and I also do not see any rules for ACKs.

I am using pfSense 1.2.1

Понравилась статья? Поделить с друзьями:
  • Sqlite near autoincrement syntax error
  • Sql как изменить порядок столбцов
  • Sql как изменить значение счетчика
  • Sql error data truncated for column
  • Sql error 979 42000 ora 00979 выражение не является выражением group by