|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
authpf, authpf.rules unable to modify filters
Hello all:
I am wondering if anyone has seen symptoms like these. I use authpf to open access to users who authenticate to our firewall. Since we have many different groups to manage, I have created /etc/authpf/users/Templates where I keep rulesets for the different groups and then in individual users' /etc/authpf/users/Username directories I just create a symbolic link to the appropriate file in Templates. It's worked for quite a while. Today a user called and said that their putty session would close immediately after they had logged in. In /var/log/daemon I saw: May 8 11:47:02 our-fw authpf[14121]: pfctl exited abnormally First I logged in with my authpf account and had no trouble getting authenticated. Since my account links to a different ruleset file, I then created an account that linked to the same ruleset as my other user and got this when I logged in: pfctl: DIOCXCOMMIT: Device busy Unable to modify filters After some tinkering, it seems that if I have a table defined in the authpf ruleset file, pfctl can't load the changes. I suspect that if I reboot our firewall, this will go away but I'd like to see if I can diagnose the problem better. Any suggestions on other things to investigate? thx kmb Last edited by kbeaucha; 8th May 2012 at 08:33 PM. Reason: correct typo. |
|
||||
Hah. No wonder only one hit. Well, two, but duplicate finds. You had a typo in your error message. Try Googling with "pfctl" instead of "pftcl". Lots more hits. Including the pf(4) man page. Highlight mine:
Quote:
|
|
|||
Sorry - finger trouble. Just washed my hands and can't do a thing with 'em.
So, one possibility is that another process is updating the same rules, which makes me look at my sym-linking of ruleset files. But..., as far as I know we've had multiple users in the same group (same linked file) online simultaneously before with no issues. kmb |
|
|||
Still thinking about the linking and realized that I may have excluded the possibility of this being the problem.
When I wanted to do more testing I copied user.rules to broken.rules - and my test account was the only one linked to that file. |
|
|||
1. What's the output of $ ls -l /sbin/pfctl ?
-r-xr-xr-x 1 root bin 528664 Aug 17 2011 /sbin/pfctl 2. What's the output of $ sysctl kern.version ? kern.version=OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011 deraadt@amd64.openbsd.org:/usr/src/s...ile/GENERIC.MP |
|
||||
OK ... pfctl and the kernel are in sync, you do not appear to have a Frankensystem.
At this point I believe you have five options you may select from. And you may select more than one.
|
|
||||
Oops, forgot to add helpful links, on problem reporting and using the mailing lists:
http://www.openbsd.org/report.html http://www.openbsd.org/mail.html |
|
|||
I just tried to recheck my main ruleset with "sudo pfctl -nf /etc/pf.conf" and got this message:
pfctl: Current pool size exceeds requested hard limit |
|
||||
Once again -- forget to give you a link. Defaults are described here in the PF User's Guide:
http://www.openbsd.org/faq/pf/options.html |
|
|||
I wanted to see if I could free up some memory space without restarting the firewall.
The man page for pfctl says I can use -F to flush specific types of items, including states but I couldn't see how to report what the current usage level is. I was interested in this because if I'm going to set the option I want to have an idea of what the system is using now. |
|
|||
I ran pftcl -vs and saved the output, but I could not map the entries there to a particular pool used by pf. At the same time I had more users calling with problems, so first I tried:
sudo pfctl -F all sudo pfctl -f /etc/pf.conf which just returned the same "pfctl: Current pool size exceeds requested hard limit" message. Then: sudo pfctl -d sudo pfctl -e which didn't make any difference either. After that I rebooted the whole firewall. The problem is gone (for now). Thanks for your help. kmb Last edited by kbeaucha; 10th May 2012 at 07:20 PM. Reason: Add the disable/enable steps |
|
|||
Omitting the Filters and States info, here's the contents:
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
authpf setup | dbach | OpenBSD General | 14 | 19th January 2013 04:25 AM |
transparent firewall & authpf? | ll2ollvll3o | OpenBSD General | 2 | 10th April 2012 12:42 AM |
Configuring authpf freebsd | kasse | FreeBSD General | 0 | 7th February 2009 12:32 PM |
Exempting clients from AuthPF | Kristijan | NetBSD Security | 1 | 12th July 2008 12:09 AM |
Modify host-level firewall rules (without getting locked out) | anomie | Guides | 13 | 16th June 2008 04:26 AM |