Pf debugging
From wikinotes
General Notes
- Remember that
pf
is a stateful firewall.
If an ip has been blocked, then you add it to a whitelisted table - it will remain blocked until you executepfctl -F all -f /etc/pf.conf
- Remember that
pfctl -F all -f /etc/pf.conf
will clear rules AND tables.
You may need to recreate table entries BEFORE access is attempted, and marked for blocking
- Use
sudo tcpdump -n -e -ttt -i pflog0 port 5555
to watch blocked traffic.
If that does not work, check the actual interface for clues.
- If using vnet jails, remember that there are 2x layers of pf. One for the host, and one inside the jail.
pftop
See pftop
pflog
pflog service won't start
You'll know the problem if:
tail -f /var/log/daemon.log # watch for reason # Failed to initialize: pflog0: (there are no BPF devices) ## OR tcpdump -i pflog0 # tcpdump: (there are no BPF devices)My problem was twofold.
- I had assigned my FreeBSD devfs ruleset the number
5
, which was an existing default ruleset. Changing to100
properly loaded the ruleset- I needed the additional rule
add path 'bpf*' unhide
See
Tricky Connections
# first line of defense is always tcpdump
tcpdump -n -e -ttt -i pflog0 # log blocked packets
tcpdump -n -e -ttt -i en0 # packets on en0
pfctl -s states | grep 10.0.0.1 # show tcp states on packets related to 10.0.0.1