pf.os? [Archive] - Screaming Electron Forums

thedude

November 11th, 2004, 18:02

Upgraded to 3.6 Get this error every time I want check my ruleset
puffy# pfctl -f /etc/pf.conf
pfctl: /etc/pf.os: No such file or directory

Here's my pf.conf. Also, NONE of my machine scna see each othrer on the network. Getting frustrated :(
Interfaces

external = "vr0"
internal = "xl0"
private = "{10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/24, 192.168.1.0/24, 255.255.255.255/32}"

#Scrub
scrub in all fragment reassemble
scrub out all

#Nat
nat on $external from 192.168.2/24 to any ->$external

#That which is not expressly permitted is denied
block in on $external all

#Block non-routable addresses
block in quick on $external from $private to any
block out quick on $internal from any to $private

#Block and reset connection on auth requests
block return-rst in on $external proto tcp from any to any port =auth flags S/S

#block all outgoing except traffice I've initiated from behind
#the firewall and are keeping state on = all legit traffic
pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto { udp, icmp } all keep state
~

bsdjunkie

November 11th, 2004, 18:14

pf.os is part of the passive os fingerprinting from p0f. You can install p0f from ports which I think should give you it, or grab off openbsd's website.
Also, I dont think there has to be anything in it unless you are using OS identification, so maybe doing a touch /etc/pf.os will stop it from complaining.

Strog

November 12th, 2004, 00:56

pf.os has been part of pf since 3.4 (http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os&apropos=0&sektion=0&manpath=OpenBSD+3.4&arch=i386&format=html). Sounds like you didn't extract etc36.tgz when you upgraded. Creating an empty file would fix the error too but you might want to see what else has been updated in /etc too. :squarewin

While there's legit uses for it (redirecting clients to appropriate tune up pages and the like), most people that use it block windows clients because they can. I suppose if I had OS X, Linux, BSD, Windows, etc. specific webpages then I might find a use for it. I suppose you could use it in combination with Snort and regex to detect infected clients and redirect them to a fixit page. The man page has an example of a custom scrub rule depending on the client.

thedude

November 12th, 2004, 01:07

Nah, just for home :D Added the empty file as suggested above and no more errors.

Anybody want to take a look at my post in the Networking forum and hazard a guess as to why my home machines can only ping the firewall and the WAP?