Problem using pkg with pf enabled on FreeBSD 7.0
I have a strange problem when i enabled pf.
The firs time i have tried to use the same configuration that i use on OpenBSD 4.3 but I have had some problem so i have decided to use a simple example present on FreeBSD. If i leave block all i can use browser, i can use web-mail but i can't use pkg while i have no problem on openbsd 4.3. /etc/pf.conf Code:
## Macros Code:
FILTER RULES: I can use also pkg: Code:
FILTER RULES: |
Quote:
|
When i tried to use pkg i can't install new software.
I don't see any error only don't connect for download the package. For the moment i'm used this istruction: pass in on $ext_if from any to any with block all but i don't like this solutions. :( |
Change block all to block in, reload firewall rules, and see what happens.
|
The problem persist after this change.
On OpenBSD i use modulate state option on output chain while on freebsd i receive always an error so i can't use it. Perhaps this is the problem? Note: I use FreeBSD on Vmware. |
I have not used FreeBSD in vmware, but I have used OpenBSD in it, mainly for testing purposes. I've used NAT network connection for the guest OS as opposed to a bridged connection and haven't had any problems, with either the pf firewall on or off. Are you using NAT connection? If so, you really don't need the firewall on if FreeBSD is the only guest OS on that virtual network.
The only other possibility I can think of is that you need ftp-proxy running and added to your firewall rules set, but I wouldn't think that is the case since you only have one network interface and ftp connections are originating from it. I don't need it for my OpenBSD vmware setup. Turn on pf logging and see what is happing when your blocking. Edit: I just checked the latest vmware workstation 6.0 release notes and FreeBSD 6.2 is fully supported, so ver. 7.0 may not be fully supported, hence why your having a problem. |
Yes i have only one network interface and ftp connections are originating from it. So i don't use Nat connection.
I followed the following steps: pass in log on $ext_if from any to any $ sudo tcpdump -n -e -ttt -r /var/log/pflog .... 174. 320866 rule 8/0(match): pass in on le0: 204.152.184.73.20 > 192.168.1.65.58244: S 1895111900:1895111900(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> .... Now I am using the following statement: pass in on $ext_if from 204.152.184.73 to any It's work. Of course I can also specify my IP address instead of any but apart from that there is a best alternatives? |
I'm glad you found a way to make it work.
|
Thanks. :)
Perhaps if others have had the same problem they will recommend a more elegant solution than that I found. |
All times are GMT -5. The time now is 03:36 PM. |