# Problem with PF Config



## alexsc13 (Feb 1, 2011)

Hi,

I started to use PF and mostly it works but I have some problems. This is my current pf.conf :


```
tcp_in_pass = "{ 21 22 25 53 80 465 995 10011 30033 }"
tcp_out_pass = "{ 21 22 53 }"

udp_in_pass = "{ 53 995 9987 }"
udp_out_pass = "{ 53 }"

ext_if = "bge0"

icmp_types = "{ echoreq, unreach }"

scrub in on $ext_if all fragment reassemble

block in all

pass out keep state

block in quick from urpf-failed

set skip on lo0
antispoof log for $ext_if

pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass out on $ext_if proto tcp to any port $tcp_out_pass keep state
pass in on $ext_if proto tcp to any port $tcp_in_pass keep state

pass out on $ext_if proto tcp to any port $udp_out_pass keep state
pass in on $ext_if proto tcp to any port $udp_in_pass keep state
```

My first problem is the Team Speak 3 Server, I cannot make it available to outside connections. The Ports needed by it are UDP 9987 and. TCP 10011 + 30033. I tried this with IPFW and it worked just fine:


```
$IPF 500 allow udp from any to any 9987 in
$IPF 510 allow tcp from any to any 30033 in
$IPF 520 allow tcp from any to any 10011 in
```

So, how to make it work with PF ?

The other problem is, banning IP's. When I use for example `pfctl -t fail2ban -T add IP` it says 
	
	



```
1/1 added
```
 but when I use `pfctl -a all` the IP is listed nowhere and also the remote server with that IP is still able to connect to this server. What am I missing there ?


----------



## kisscool-fr (Feb 1, 2011)

Is your machine directly accessible from the outside ? Is your team speak server installed on this machine ?

Ta ask it simply, what is your network topology ?



> When I use for example pfctl -t fail2ban -T add IP it says 1/1 added but when I use pfctl -a all the IP is listed nowhere



To see the content of your tables, the command is 

```
pfctl -t fail2ban -T show
```



> and also the remote server with that IP is still able to connect to this server.



I don't see anywhere your fail2ban table in your pf.conf. You have to declare it in your pf configuration file and use it in your rules.


----------



## alexsc13 (Feb 1, 2011)

The Team Speak Server is installed on the machine and is directly accessible. It works fine when I shut down PF or when I try it with IPFW and the rules I had in my original post.

I wasn't aware of it that I have to declare the table for Fail2ban in my rules, do I have to do it as an Anchor ? Thank you.


----------



## kpa (Feb 1, 2011)

```
pass in on $ext_if proto udp from any to ($ext_if) port 9987
pass in on $ext_if proto tcp from any to ($ext_if) port 10011
pass in on $ext_if proto tcp from any to ($ext_if) port 30033
```

For the fail2ban table you need something like:


```
table <fail2ban> persist
```

And:


```
block in quick on $ext_if from <fail2ban> to any
```


----------



## alexsc13 (Feb 1, 2011)

Thanks a lot, both are working now. Fail2ban does ban and the Team Speak Server can be reached.

Could you please explain to me why the ports as I defined them in the macro don't work but adding them separately does ? I personally cannot see the reason behind this right now. Thank you.


----------



## kpa (Feb 1, 2011)

I don't see any reason either why it wouldn't work with macros. Try with just those two tcp port numbers in a macro and check what pf thinks of the rules with `# pfctl -sr` after a reload.


----------



## DutchDaemon (Feb 1, 2011)

You can always load the ruleset and run [cmd=]pfctl -sr[/cmd] and carefully check all of the rules to see whether they expand to what you expected. 

You can also skip the macros at the top and simply write 
	
	



```
pass in on $ext_if proto tcp to any port { 21 22 25 53 80 465 995 10011 30033 } keep state
```


----------



## alexsc13 (Feb 2, 2011)

Thanks again for the tips, I actually noticed last night while my config did not work as intended. The 2 2 lines where I used my in and out macro for the UDP ports have been using proto tcp instead of proto udp, makes sense that it did not open the UDP port then.


----------



## DutchDaemon (Feb 2, 2011)

Ah yes, I see it now .. "proto tcp -> udp_ports .." Devil in the details.


----------

