# Running a sample pf.conf, I get strange messages.



## prdeltoid (Jun 16, 2010)

I tried using this pf.conf that I found:
http://www.whmcr.com/old-content/openbsd-freebsd-pfconf/
When I put this in /etc/pf.conf and this in my /etc/rc.conf:

```
home# cat /etc/rc.conf

# -- sysinstall generated deltas -- # Tue Jun 15 00:46:39 2010
# Created: Tue Jun 15 00:46:39 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname="home"
ifconfig_rl0="DHCP"
linux_enable="YES"
moused_enable="YES"
hald_enable="YES"
dbus_enable="YES"
gdm_enable="YES"
gnome_enable="YES"
pf_enable="YES"
pflog_enable="YES"
```
and run /etc/rc.d/pf start, it shows this:

```
home# /etc/rc.d/pf start
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
no IP address found for 80.xx.xx.xx/32
/etc/pf.conf:17: could not parse host specification
no IP address found for 80.xx.xx.xx/32
/etc/pf.conf:21: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
No ALTQ support in kernel
ALTQ related functions disabled
```
What happened? Should it still work? What should I do? :beergrin


----------



## prdeltoid (Jun 16, 2010)

Does anyone know of a better pf.conf file that I can use?


----------



## prdeltoid (Jun 16, 2010)

What about this one, at the bottom of the page:
http://www.openbsd.org/faq/pf/example1.html
Please let me know if that's a good one. It seems like it should be. How would stealth the ports for this? I would like stealth.


----------



## DutchDaemon (Jun 17, 2010)

If you put 80.xx.xx.xx/32 in your own pf.conf, _literally_, may I suggest you first read the PF FAQ before using a random pf.conf off the net? PF is way too serious for an uninformed cut & paste job.


----------



## prdeltoid (Jun 17, 2010)

I know, once I read the errors real carefully and looked more closely at the pf.conf file example that I had pasted I decided to go with my second post. It's from OpenBSD's website and it's an example for home or small office. I haven't read yet about how to make my own because I'm new to FreeBSD and have been reading about other things... it seems like it should be a good one, and I've been using it all day.


----------



## prdeltoid (Jun 17, 2010)

I need a pf.conf that is very secure and doesn't allow access to any ports and preferably stealths the ports. I don't have any reason to have anyone be able to access anything on my computer.


----------



## SirDice (Jun 17, 2010)

Here's a really simple one, it'll block all incoming traffic while allowing everything to go out.


```
myint="rl0"

block in log all

pass out on $myint from any to any keep state
```

You can see what's being blocked by capturing the traffic on pflog0:
`# tcpdump -ni pflog0`


----------



## prdeltoid (Jun 19, 2010)

Would that stealth ports? If not, is there a very easy way to add it to the example? That's what I want, all blocked. Simple. I would appreciate being able to pass the Shields Up test.


----------



## DutchDaemon (Jun 20, 2010)

pf.conf(5)


```
set block-policy
           The block-policy option sets the default behaviour for the packet
           block action:

           drop      Packet is silently dropped.
           return    A TCP RST is returned for blocked TCP packets, an ICMP
                     UNREACHABLE is returned for blocked UDP packets, and all
                     other packets are silently dropped.

           For example:

                 set block-policy return
```


----------

