|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
pf hates me: "Operation not supported by device"
From: Derick Siddoway (derick
panther.bitflood.net)
Date: Thu Oct 02 2003 - 13:36:47 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I upgraded to a snapshot and then pulled that up to -current a
few days ago.
derickpanther:~$ sudo pfctl -e -f /etc/pf.conf
pfctl: DIOCXBEGIN: Operation not supported by device
pfctl: DIOCXROLLBACK: Operation not supported by device
derickpanther:~$ sudo cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
ext_if="xl0" # replace with actual external interface name i.e., dc0
#int_if="int0" # replace with actual internal interface name i.e., dc1
#internal_net="10.1.1.1/8"
external_addr="166.70.179.62"
NewsHosts=" { 127.0.0.1, xcski.com, panther.bitflood.net, heimdall.bitflood.net } "
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
#nat on $ext_if from $internal_net to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $ext_if proto tcp from any to $ext_if port 23 keep state
pass in on $ext_if proto tcp from any to $ext_if port 25 keep state
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state
pass in on $ext_if proto tcp from any to $ext_if port 443 keep state
pass in on $ext_if proto tcp from $NewsHosts to any port 119 keep state
pass in on $ext_if proto tcp from any to any port 113 keep state
pass in on $ext_if proto tcp from any to any port 667 keep state
pass in on $ext_if inet proto icmp all icmp-type echoreq code 0 keep state
pass out on $ext_if proto { tcp, udp } all keep state
# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
derickpanther:~$ sudo pfctl -n -f /etc/pf.conf
derickpanther:~$
This used to work...
--
"We *are*, therefore we am," he said confidently. "That's it." Several of
the philosophers looked at one another with interest. "That's actually quite
interesting," one said. "The evidence of our existance is the *fact* of our
existence, is that what you're saying?" (Terry Pratchett, "Small Gods")
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]