November 11th, 2004, 18:02
Upgraded to 3.6 Get this error every time I want check my ruleset
puffy# pfctl -f /etc/pf.conf
pfctl: /etc/pf.os: No such file or directory

Here's my pf.conf. Also, NONE of my machine scna see each othrer on the network. Getting frustrated :(

external = "vr0"
internal = "xl0"
private = "{,,,,,}"

scrub in all fragment reassemble
scrub out all

nat on $external from 192.168.2/24 to any ->$external

#That which is not expressly permitted is denied
block in on $external all

#Block non-routable addresses
block in quick on $external from $private to any
block out quick on $internal from any to $private

#Block and reset connection on auth requests
block return-rst in on $external proto tcp from any to any port =auth flags S/S

#block all outgoing except traffice I've initiated from behind
#the firewall and are keeping state on = all legit traffic
pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto { udp, icmp } all keep state

November 11th, 2004, 18:14
pf.os is part of the passive os fingerprinting from p0f. You can install p0f from ports which I think should give you it, or grab off openbsd's website.
Also, I dont think there has to be anything in it unless you are using OS identification, so maybe doing a touch /etc/pf.os will stop it from complaining.

November 12th, 2004, 00:56
pf.os has been part of pf since 3.4 ( Sounds like you didn't extract etc36.tgz when you upgraded. Creating an empty file would fix the error too but you might want to see what else has been updated in /etc too. :squarewin

While there's legit uses for it (redirecting clients to appropriate tune up pages and the like), most people that use it block windows clients because they can. I suppose if I had OS X, Linux, BSD, Windows, etc. specific webpages then I might find a use for it. I suppose you could use it in combination with Snort and regex to detect infected clients and redirect them to a fixit page. The man page has an example of a custom scrub rule depending on the client.

November 12th, 2004, 01:07
Nah, just for home :D Added the empty file as suggested above and no more errors.

Anybody want to take a look at my post in the Networking forum and hazard a guess as to why my home machines can only ping the firewall and the WAP?