LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   Problem using pkg with pf enabled on FreeBSD 7.0 (https://www.linuxquestions.org/questions/%2Absd-17/problem-using-pkg-with-pf-enabled-on-freebsd-7-0-a-650490/)

AleLinuxBSD 06-20-2008 03:47 AM
Problem using pkg with pf enabled on FreeBSD 7.0
 
I have a strange problem when i enabled pf.

The firs time i have tried to use the same configuration that i use on OpenBSD 4.3 but I have had some problem so i have decided to use a simple example present on FreeBSD.

If i leave block all i can use browser, i can use web-mail but i can't use pkg while i have no problem on openbsd 4.3.

/etc/pf.conf
Code:
## Macros
# The external interface (connected to internet)
ext_if="le0"

#table <spamd-white> persist

## Options
set block-policy return

# Ignore the loopback interface entirely
set skip on lo

scrub in

## Filtering rules
block all

antispoof quick for { lo $ext_if }

pass out on $ext_if proto { tcp, udp, icmp } from any to any
Code:
FILTER RULES:
scrub in all fragment reassemble
block return all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! le0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.65 to any
pass out on le0 proto tcp all flags S/SA keep state
pass out on le0 proto udp all keep state
pass out on le0 proto icmp all keep state
...
While without the istrucion block all.
I can use also pkg:
Code:
FILTER RULES:
scrub in all fragment reassemble
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! le0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.65 to any
pass out on le0 proto tcp all flags S/SA keep state
pass out on le0 proto udp all keep state
pass out on le0 proto icmp all keep state
...

bsdunix 06-20-2008 07:40 AM
Quote:
... but i can't use pkg ...
Please explain. How/What can't use pkg? Do you see errors, what are they?

AleLinuxBSD 06-20-2008 09:14 AM
When i tried to use pkg i can't install new software.

I don't see any error only don't connect for download the package.

For the moment i'm used this istruction:

pass in on $ext_if from any to any

with block all but i don't like this solutions. :(

bsdunix 06-20-2008 01:52 PM
Change block all to block in, reload firewall rules, and see what happens.

AleLinuxBSD 06-21-2008 12:50 AM
The problem persist after this change.

On OpenBSD i use modulate state option on output chain while on freebsd i receive always an error so i can't use it.

Perhaps this is the problem?

Note:
I use FreeBSD on Vmware.

bsdunix 06-21-2008 08:43 AM
I have not used FreeBSD in vmware, but I have used OpenBSD in it, mainly for testing purposes. I've used NAT network connection for the guest OS as opposed to a bridged connection and haven't had any problems, with either the pf firewall on or off. Are you using NAT connection? If so, you really don't need the firewall on if FreeBSD is the only guest OS on that virtual network.

The only other possibility I can think of is that you need ftp-proxy running and added to your firewall rules set, but I wouldn't think that is the case since you only have one network interface and ftp connections are originating from it. I don't need it for my OpenBSD vmware setup.

Turn on pf logging and see what is happing when your blocking.

Edit:

I just checked the latest vmware workstation 6.0 release notes and FreeBSD 6.2 is fully supported, so ver. 7.0 may not be fully supported, hence why your having a problem.

AleLinuxBSD 06-21-2008 10:48 AM
Yes i have only one network interface and ftp connections are originating from it. So i don't use Nat connection.

I followed the following steps:
pass in log on $ext_if from any to any

$ sudo tcpdump -n -e -ttt -r /var/log/pflog

....
174. 320866 rule 8/0(match): pass in on le0: 204.152.184.73.20 > 192.168.1.65.58244: S 1895111900:1895111900(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]>
....

Now I am using the following statement:
pass in on $ext_if from 204.152.184.73 to any

It's work.

Of course I can also specify my IP address instead of any but apart from that there is a best alternatives?

bsdunix 06-23-2008 08:16 AM
I'm glad you found a way to make it work.

AleLinuxBSD 06-24-2008 02:55 AM
Thanks. :)


Perhaps if others have had the same problem they will recommend a more elegant solution than that I found.


All times are GMT -5. The time now is 03:36 PM.