LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices

Reply
 
Search this Thread
Old 06-20-2008, 04:47 AM   #1
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Rep: Reputation: 37
Problem using pkg with pf enabled on FreeBSD 7.0


I have a strange problem when i enabled pf.

The firs time i have tried to use the same configuration that i use on OpenBSD 4.3 but I have had some problem so i have decided to use a simple example present on FreeBSD.

If i leave block all i can use browser, i can use web-mail but i can't use pkg while i have no problem on openbsd 4.3.

/etc/pf.conf
Code:
## Macros
# The external interface (connected to internet)
ext_if="le0"

#table <spamd-white> persist

## Options
set block-policy return

# Ignore the loopback interface entirely
set skip on lo

scrub in

## Filtering rules
block all

antispoof quick for { lo $ext_if }

pass out on $ext_if proto { tcp, udp, icmp } from any to any
Code:
FILTER RULES:
scrub in all fragment reassemble
block return all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! le0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.65 to any
pass out on le0 proto tcp all flags S/SA keep state
pass out on le0 proto udp all keep state
pass out on le0 proto icmp all keep state
...
While without the istrucion block all.
I can use also pkg:
Code:
FILTER RULES:
scrub in all fragment reassemble
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! le0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.65 to any
pass out on le0 proto tcp all flags S/SA keep state
pass out on le0 proto udp all keep state
pass out on le0 proto icmp all keep state
...
 
Old 06-20-2008, 08:40 AM   #2
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
Quote:
... but i can't use pkg ...
Please explain. How/What can't use pkg? Do you see errors, what are they?
 
Old 06-20-2008, 10:14 AM   #3
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
Question

When i tried to use pkg i can't install new software.

I don't see any error only don't connect for download the package.

For the moment i'm used this istruction:

pass in on $ext_if from any to any

with block all but i don't like this solutions.

Last edited by AleLinuxBSD; 06-20-2008 at 10:15 AM.
 
Old 06-20-2008, 02:52 PM   #4
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
Change block all to block in, reload firewall rules, and see what happens.
 
Old 06-21-2008, 01:50 AM   #5
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
The problem persist after this change.

On OpenBSD i use modulate state option on output chain while on freebsd i receive always an error so i can't use it.

Perhaps this is the problem?

Note:
I use FreeBSD on Vmware.

Last edited by AleLinuxBSD; 06-21-2008 at 01:55 AM.
 
Old 06-21-2008, 09:43 AM   #6
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
I have not used FreeBSD in vmware, but I have used OpenBSD in it, mainly for testing purposes. I've used NAT network connection for the guest OS as opposed to a bridged connection and haven't had any problems, with either the pf firewall on or off. Are you using NAT connection? If so, you really don't need the firewall on if FreeBSD is the only guest OS on that virtual network.

The only other possibility I can think of is that you need ftp-proxy running and added to your firewall rules set, but I wouldn't think that is the case since you only have one network interface and ftp connections are originating from it. I don't need it for my OpenBSD vmware setup.

Turn on pf logging and see what is happing when your blocking.

Edit:

I just checked the latest vmware workstation 6.0 release notes and FreeBSD 6.2 is fully supported, so ver. 7.0 may not be fully supported, hence why your having a problem.

Last edited by bsdunix; 06-21-2008 at 09:47 AM.
 
Old 06-21-2008, 11:48 AM   #7
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
Yes i have only one network interface and ftp connections are originating from it. So i don't use Nat connection.

I followed the following steps:
pass in log on $ext_if from any to any

$ sudo tcpdump -n -e -ttt -r /var/log/pflog

....
174. 320866 rule 8/0(match): pass in on le0: 204.152.184.73.20 > 192.168.1.65.58244: S 1895111900:1895111900(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]>
....

Now I am using the following statement:
pass in on $ext_if from 204.152.184.73 to any

It's work.

Of course I can also specify my IP address instead of any but apart from that there is a best alternatives?
 
Old 06-23-2008, 09:16 AM   #8
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
I'm glad you found a way to make it work.
 
Old 06-24-2008, 03:55 AM   #9
AleLinuxBSD
Member
 
Registered: May 2006
Location: Italy
Distribution: Ubuntu, ArchLinux, Debian, SL, OpenBSD
Posts: 272

Original Poster
Rep: Reputation: 37
Thanks.


Perhaps if others have had the same problem they will recommend a more elegant solution than that I found.
 
  


Reply

Tags
firewall, pf, pkg


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem with pkg install phantom_cyph Slackware 18 03-06-2008 04:40 PM
PKG config problem ? fatum Linux - Software 2 10-03-2004 07:52 PM
pkg config problem fatum Linux - General 0 10-01-2004 03:22 PM
pkg-config problem pasalacqua128 Linux - Software 1 06-02-2004 08:31 AM
pkg-config problem melinda_sayang Slackware 2 02-28-2004 09:56 AM


All times are GMT -5. The time now is 04:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration