Latest snapshots (i386,full) DIOCADDRULE device busy+cannot define table bogons
-
Can you post a copy of your /tmp/rules.debug file which gives you those errors?
-
Hi jimp,
sorry for the delay.
I'm not able to post a log from the machine which is running the current snapshot (where besides DIOCADDRULE device busy errors also the can't define bogons error appears). But here is the rules.debug from oct12 snapshot (the 2nd log I posted in my first post).
I hope this helps too, because the DIOCADDRULE device busy errors appeared for me first when I upgraded to this snapshot (from early sept).
The config other than interface naming is identical to the other machine running 6.nov. which is shut off at the moment.Thank you very much!
#System aliases loopback = "{ lo0 }" UPC = "{ bge1 }" LAN = "{ em1 }" AON = "{ em0 }" UPC_ASYNC = "{ fxp0 }" MAIL = "{ fxp1 }" WIFI_GUEST = "{ em2_vlan8 }" WIFI_VIP = "{ em2_vlan16 }" IPsec = "{ enc0 }" OpenVPN = "{ openvpn }" #SSH Lockout Table table <sshlockout>persist #Snort2C table table <snort2c>table <virusprot># User Aliases table <akjfdb>{ 192.168.0.40 } akjfdb = "<akjfdb>" table <remotesites>{ 192.168.9.0/24 192.168.13.0/24 192.168.11.0/24 192.168.12.0/24 } RemoteSites = "<remotesites>" Avira = "{ 7000:9000 }" table <backup1>{ 192.168.0.240 } Backup1 = "<backup1>" table <printer>{ 192.168.0.67 192.168.0.100 192.168.0.50 192.168.0.4 } Printer = "<printer>" table <cen_lan>{ 192.168.0.0/24 192.168.111.0/24 } CEN_LAN = "<cen_lan>" table <mailserver>{ 192.168.0.30 } mailserver = "<mailserver>" table <maint>{ 192.168.0.31 } Maint = "<maint>" table <maxnet>{ 192.168.1.0/24 192.168.100.0/24 10.0.10.0/24 } Maxnet = "<maxnet>" table <mssql>{ 192.168.0.150 } mssql = "<mssql>" table <mx_upc>{ <2nd_ip_UPCIF_SUBNET> } mx_upc = "<mx_upc>" table <openvpnemployes>{ 10.0.9.0/24 } OpenVPNEmployes = "<openvpnemployes>" table <openvpntech>{ 10.0.10.0/24 } OpenVPNTech = "<openvpntech>" samba = "{ 139 445 137 138 }" SQL = "{ 1031 80 1434 1662 }" table <storage1>{ 192.168.0.239 } storage1 = "<storage1>" table <uul_lan>{ 192.168.1.0/24 192.168.100.0/24 } UUL_LAN = "<uul_lan>" table <winsrv1>{ 192.168.0.240 } WinSRV1 = "<winsrv1>" # Gateways GWGW_UPC = " route-to ( bge1 <gw_upc_ip>) " GWGW_AON = " route-to ( em0 <gw_aon_ip>) " GWLANCOM_LAN = " route-to ( em1 192.168.0.2 ) " GWUPC_GW_ASYNC = " route-to ( fxp0 <gw_upcasync_ip>) " GWLoadBalance = " route-to { ( fxp0 <gw_upcasync_ip>) } " GWmx_failover = " route-to { ( bge1 <gw_upc_ip>) } " set loginterface bge1 set loginterface em1 set loginterface em0 set loginterface fxp0 set loginterface fxp1 set loginterface em2_vlan8 set loginterface em2_vlan16 set optimization conservative set timeout { udp.first 300, udp.single 150, udp.multiple 900 } set limit states 299000 set limit src-nodes 299000 set skip on pfsync0 scrub in on $UPC all no-df fragment reassemble scrub in on $LAN all no-df fragment reassemble scrub in on $AON all no-df fragment reassemble scrub in on $UPC_ASYNC all no-df fragment reassemble scrub in on $MAIL all no-df fragment reassemble scrub in on $WIFI_GUEST all no-df fragment reassemble scrub in on $WIFI_VIP all no-df fragment reassemble altq on em0 hfsc bandwidth 8Mb queue { qACK, qDefault, qOthersHigh, qOthersLow, qUltraHigh } queue qACK on em0 bandwidth 30% hfsc ( ecn ) queue qDefault on em0 bandwidth 15% hfsc ( ecn ) queue qOthersHigh on em0 bandwidth 25% hfsc ( rio , ecn ) queue qOthersLow on em0 bandwidth 5% hfsc ( ecn , default ) queue qUltraHigh on em0 bandwidth 25% hfsc ( rio , ecn , realtime 1500Kb ) altq on fxp0 hfsc bandwidth 1024Kb queue { qACK, qDefault, qOthersHigh, qOthersLow } queue qACK on fxp0 bandwidth 20% hfsc ( ecn ) queue qDefault on fxp0 bandwidth 30% hfsc ( ecn ) queue qOthersHigh on fxp0 bandwidth 35% hfsc ( ecn , linkshare 35% ) queue qOthersLow on fxp0 bandwidth 5% hfsc ( ecn , default ) altq on em1 hfsc bandwidth 16Mb queue { qInternet } queue qInternet on em1 bandwidth 16Mb hfsc ( ecn , linkshare (15Mb, 100, 16Mb) , upperlimit 16Mb ) { qACK, qDefault, qOthersHigh, qOthersLow, qUltraHigh } queue qACK on em1 bandwidth 25% hfsc ( rio , ecn ) queue qDefault on em1 bandwidth 20% hfsc ( ecn ) queue qOthersHigh on em1 bandwidth 20% hfsc ( rio , ecn ) queue qOthersLow on em1 bandwidth 5% hfsc ( ecn , default ) queue qUltraHigh on em1 bandwidth 20% hfsc ( rio , ecn , realtime 1500Kb ) altq on bge1 hfsc bandwidth 8Mb queue { qACK, qDefault, qOthersHigh, qOthersLow } queue qACK on bge1 bandwidth 25% hfsc ( ecn ) queue qDefault on bge1 bandwidth 30% hfsc ( ecn , default , linkshare 30% ) queue qOthersHigh on bge1 bandwidth 40% hfsc ( rio , ecn , linkshare 40% ) queue qOthersLow on bge1 bandwidth 5% hfsc ( ecn , linkshare 5% ) altq on fxp1 hfsc bandwidth 8Mb queue { qInternet } queue qInternet on fxp1 bandwidth 8Mb hfsc ( ecn , upperlimit 8Mb ) { qACK, qDefault, qOthersHigh, qOthersLow } queue qACK on fxp1 bandwidth 25% hfsc ( ecn ) queue qDefault on fxp1 bandwidth 20% hfsc ( ecn , default ) queue qOthersHigh on fxp1 bandwidth 50% hfsc ( rio , ecn ) queue qOthersLow on fxp1 bandwidth 5% hfsc ( ecn , linkshare 5% ) nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules nat on $UPC from 192.168.222.2/32 to !<backuphost_ip>/32 -> <2nd_ip_UPCIF_SUBNET>/32 port 1024:65535 nat on $UPC from 192.168.0.239/32 to any -> <2nd_ip_UPCIF_SUBNET>/32 port 1024:65535 nat on $UPC from 192.168.0.0/24 to any -> <1st_ip_UPCIF_SUBNET>/32 port 1024:65535 nat on $AON from 192.168.0.0/24 to any -> <1st_ip_AON_SUBNET>/32 port 1024:65535 nat on $UPC_ASYNC from 192.168.0.0/24 to any -> <ip_upcasync_subnet>/32 port 1024:65535 nat on $UPC_ASYNC from 192.168.222.2/32 to any -> <ip_upcasync_subnet>/32 port 1024:65535 nat on $AON from 192.168.222.2/32 to !<backuphost_ip>/32 -> <2nd_ip_AON_SUBNET>/32 port 1024:65535 nat on $AON from 192.168.222.2/32 to <backuphost_ip>/32 -> <1st_ip_AON_SUBNET>/32 port 1024:65535 nat on $UPC_ASYNC from 192.168.16.0/24 to any -> <ip_upcasync_subnet>/32 port 1024:65535 nat on $UPC from 192.168.16.0/24 to any -> <1st_ip_UPCIF_SUBNET>/32 port 1024:65535 nat on $AON from 192.168.8.0/24 to any -> <1st_ip_AON_SUBNET>/32 port 1024:65535 nat on $UPC_ASYNC from 192.168.8.0/24 to any -> <ip_upcasync_subnet>/32 port 1024:65535 nat on $UPC from 192.168.8.0/24 to any -> <1st_ip_UPCIF_SUBNET>/32 port 1024:65535 nat on $AON from 192.168.16.0/24 to any -> <1st_ip_AON_SUBNET>/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <vpns>{ 192.168.11.0/24 192.168.13.0/24 192.168.9.0/24 192.168.11.0/24 192.168.13.0/24 192.168.9.0/24 } table <direct_networks>{ <upcif_network>/28 192.168.0.0/24 <aonif_network>/29 <upcasync_network>/29 192.168.222.0/30 192.168.8.0/24 192.168.16.0/24 } # NAT Inbound Redirects rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 443 -> 192.168.222.2 rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 993 -> 192.168.222.2 rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 5729 -> 192.168.222.2 rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 5767 -> 192.168.222.2 rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 25 -> 192.168.222.2 rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 465 -> 192.168.222.2 rdr on bge1 proto tcp from any to <2nd_ip_UPCIF_SUBNET> port 80 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 25 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 465 -> 192.168.222.2 rdr on em0 proto tcp from any to <3rd_ip_AON_SUBNET> port 465 -> 192.168.222.2 rdr on em0 proto tcp from any to <3rd_ip_AON_SUBNET> port 25 -> 192.168.222.2 rdr on em0 proto tcp from any to <3rd_ip_AON_SUBNET> port 587 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 587 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 5729 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 5767 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 993 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 443 -> 192.168.222.2 rdr on em0 proto tcp from any to <2nd_ip_AON_SUBNET> port 80 -> 192.168.222.2 # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "firewallrules" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # snort2c block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" # carp anchor "carp" block in log quick proto carp from (self) to any pass quick proto carp pass quick proto pfsync # SSH lockout block in log quick proto tcp from <sshlockout>to any port 65002 label "sshlockout" block in quick from <virusprot>to any label "virusprot overload table" table <bogons>persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "wanbogons" block in log quick on $UPC from <bogons>to any label "block bogon networks from UPC" antispoof for bge1 # block anything from private networks on interfaces with the option set antispoof for $UPC block in log quick on $UPC from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $UPC from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $UPC from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $UPC from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" antispoof for em1 # allow access to DHCP server on LAN anchor "dhcpserverLAN" pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $LAN proto udp from any port = 68 to 192.168.0.3 port = 67 label "allow access to DHCP server" pass out on $LAN proto udp from 192.168.0.3 port = 67 to any port = 68 label "allow access to DHCP server" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "opt1bogons" block in log quick on $AON from <bogons>to any label "block bogon networks from AON" antispoof for em0 # block anything from private networks on interfaces with the option set antispoof for $AON block in log quick on $AON from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $AON from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $AON from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $AON from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "opt2bogons" block in log quick on $UPC_ASYNC from <bogons>to any label "block bogon networks from UPC_ASYNC" antispoof for fxp0 # block anything from private networks on interfaces with the option set antispoof for $UPC_ASYNC block in log quick on $UPC_ASYNC from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $UPC_ASYNC from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $UPC_ASYNC from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $UPC_ASYNC from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" antispoof for fxp1 antispoof for em2_vlan8 # allow access to DHCP server on WIFI_GUEST anchor "dhcpserverWIFI_GUEST" pass in on $WIFI_GUEST proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $WIFI_GUEST proto udp from any port = 68 to 192.168.8.1 port = 67 label "allow access to DHCP server" pass out on $WIFI_GUEST proto udp from 192.168.8.1 port = 67 to any port = 68 label "allow access to DHCP server" antispoof for em2_vlan16 # allow access to DHCP server on WIFI_VIP anchor "dhcpserverWIFI_VIP" pass in on $WIFI_VIP proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $WIFI_VIP proto udp from any port = 68 to 192.168.16.1 port = 67 label "allow access to DHCP server" pass out on $WIFI_VIP proto udp from 192.168.16.1 port = 67 to any port = 68 label "allow access to DHCP server" anchor "spoofing" # loopback anchor "loopback" pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" anchor "firewallout" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( bge1 <gw_upc_ip>) from <1st_ip_UPCIF_SUBNET> to !<upcif_network>/28 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( em0 <gw_aon_ip>) from <1st_ip_AON_SUBNET> to !<aonif_network>/29 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( fxp0 <gw_upcasync_ip>) from <ip_upcasync_subnet>to !<upcasync_network>/29 keep state allow-opts label "let out anything from firewall host itself" pass out on $IPsec all keep state label "IPsec internal host to host" # User-defined rules follow pass in quick proto tcp from any to any port 25 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: SMTP Rein " pass out quick proto tcp from any to any port 25 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: SMTP Raus " pass out quick proto tcp from any port 5556 to any flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE: Webinterface remote access" pass out quick proto { tcp udp } from any to $UUL_LAN keep state queue (qDefault) label "USER_RULE: Uul_lan out" pass in quick proto { tcp udp } from $UUL_LAN to any keep state queue (qDefault) label "USER_RULE: Uul_lan in" pass out quick proto udp from any to any port 53 keep state queue (qDefault) label "USER_RULE: DNS out" pass out quick proto tcp from any port 5556 to any flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE: Webinterface out" pass out quick inet proto icmp from any to any icmp-type echoreq keep state queue (qOthersHigh) label "USER_RULE: ICMP ECHO out" pass out proto tcp from any to any port 8080 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: HTTP 8080" pass out quick proto tcp from any to any port 80 flags S/SA keep state queue (qDefault,qACK) label "USER_RULE: HTTP" pass out quick proto tcp from any to any port 443 flags S/SA keep state queue (qDefault,qACK) label "USER_RULE: HTTPS" pass out proto tcp from any to any port 8008 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: HTTP 8008" pass out quick proto tcp from any to any port 21 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: FTP" pass out quick proto tcp from any to ! <backuphost_ip>port 22 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: SSH" pass out quick proto tcp from any to <backuphost_ip>port 22 flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE: SSH" pass out quick proto tcp from any to <backuphost_ip>port 873 flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE: Rsync" pass out quick proto tcp from any to any port 143 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: IMAP out" pass out quick proto tcp from any to any port 993 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: IMAPS out" pass out quick proto tcp from any to any port 110 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: POP3 out" pass out quick proto tcp from any to any port 995 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: POP3s out" pass out quick proto tcp from any to any port 465 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: SMTPs out" pass out quick proto tcp from any to any port 587 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: SMTP TLS out" pass out quick proto { tcp udp } from any to any port 2683 keep state queue (qDefault) label "USER_RULE: ELBA 1 out" pass out quick proto { tcp udp } from any to any port 3048 keep state queue (qDefault) label "USER_RULE: ELBA 2 out" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to <1st_ip_UPCIF_SUBNET> port 5556 flags S/SA keep state queue (qACK,qDefault) label "USER_RULE: Webinterface remote access" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to <1st_ip_UPCIF_SUBNET> port 65002 flags S/SA keep state label "USER_RULE: SSH remote access" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) inet proto icmp from any to <1st_ip_UPCIF_SUBNET> icmp-type echoreq keep state label "USER_RULE: ECHO" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) inet proto icmp from any to <1st_ip_UPCIF_SUBNET> icmp-type echorep keep state label "USER_RULE: ECHO REPLY" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto udp from ! $CEN_LAN to <1st_ip_UPCIF_SUBNET> port 1194 keep state label "USER_RULE: OpenVPN Mitarbeiter" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto udp from any to <1st_ip_UPCIF_SUBNET> port 12002 keep state label "USER_RULE: OpenVPN Tech" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) inet proto icmp from any to $mx_upc icmp-type echoreq keep state label "USER_RULE: ECHO mx_upc" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 443 flags S/SA keep state label "USER_RULE: NAT HTTPS Scalix" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 993 flags S/SA keep state label "USER_RULE: NAT IMAPS Scalix" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 5729 label "USER_RULE: NAT UAL Scalix" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 5767 flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE: NAT UALS Scalix" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 25 flags S/SA keep state queue (qACK,qOthersLow) label "USER_RULE: NAT SMTP" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 465 label "USER_RULE: NAT SMTPS" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 80 flags S/SA keep state label "USER_RULE: NAT HTTP Scalix" pass in quick on $UPC reply-to ( bge1 <gw_upc_ip>) proto tcp from any to 192.168.222.2 port 389 label "USER_RULE: NAT LDAP Scalix" block in quick on $WIFI_VIP from any to $CEN_LAN label "USER_RULE: block -> intranet" block in quick on $WIFI_VIP from any to $RemoteSites label "USER_RULE: block -> RemoteSites" block in quick on $WIFI_VIP from any to $Maxnet label "USER_RULE: block -> Maxnet" block in quick on $WIFI_VIP from any to $OpenVPNEmployes label "USER_RULE: block -> OpenVPNEmployes" pass in quick on $WIFI_VIP proto { tcp udp } from any to any port 53 keep state label "USER_RULE: DNS" pass in quick on $WIFI_VIP from any to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_VIP $GWLoadBalance from any to any keep state label "USER_RULE" block in quick on $WIFI_GUEST from any to $CEN_LAN label "USER_RULE: block -> intranet" block in quick on $WIFI_GUEST from any to $RemoteSites label "USER_RULE: block -> RemoteSites" block in quick on $WIFI_GUEST from any to $Maxnet label "USER_RULE: block -> Maxnet" block in quick on $WIFI_GUEST from any to $OpenVPNEmployes label "USER_RULE: block -> OpenVPNEmployes" pass in quick on $WIFI_GUEST proto { tcp udp } from any to any port 53 keep state label "USER_RULE: DNS" pass in quick on $WIFI_GUEST proto { tcp udp } from any to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto { tcp udp } from any to any port 80 keep state label "USER_RULE: HTTP" pass in quick on $WIFI_GUEST proto { tcp udp } from any to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto { tcp udp } from any to any port 8080 keep state label "USER_RULE: HTTP 8080" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 443 flags S/SA keep state label "USER_RULE: HTTPS" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 21 flags S/SA keep state label "USER_RULE: FTP" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 143 flags S/SA keep state label "USER_RULE: IMAP" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 993 flags S/SA keep state label "USER_RULE: IMAPS" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 110 flags S/SA keep state label "USER_RULE: POP3" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 995 flags S/SA keep state label "USER_RULE: POP3S" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 25 flags S/SA keep state label "USER_RULE: SMTP" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 465 flags S/SA keep state label "USER_RULE: SMTPS" pass in quick on $WIFI_GUEST proto tcp from any to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance proto tcp from any to any port 587 flags S/SA keep state label "USER_RULE: SMTP TLS" pass in quick on $WIFI_GUEST inet proto icmp from any to any icmp-type echoreq keep state label "USER_RULE: ECHO" pass in quick on $WIFI_GUEST from any to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $WIFI_GUEST $GWLoadBalance from any to any keep state label "USER_RULE" block in quick on $MAIL from any to $RemoteSites label "USER_RULE" block in quick on $MAIL proto tcp from any to 192.168.0.0/24 label "USER_RULE" pass in quick on $MAIL $GWGW_AON proto tcp from any to ! $CEN_LAN port 22 flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE" pass in quick on $MAIL $GWGW_AON proto tcp from any to ! $CEN_LAN port 873 flags S/SA keep state queue (qOthersHigh,qACK) label "USER_RULE" pass in quick on $MAIL $GWmx_failover proto tcp from any to ! $CEN_LAN port 25 flags S/SA keep state queue (qOthersLow,qACK) label "USER_RULE: SMTP raus" pass in quick on $MAIL from any to ! $CEN_LAN keep state label "USER_RULE" block in quick on $UPC_ASYNC reply-to ( fxp0 <gw_upcasync_ip>) proto udp from any to 255.255.255.255 port 68 label "USER_RULE: Silence UPC dhcp offers" pass in quick on $UPC_ASYNC reply-to ( fxp0 <gw_upcasync_ip>) inet proto icmp from any to any icmp-type echorep keep state label "USER_RULE: ICMP ECHO REPLY" pass in quick on $UPC_ASYNC reply-to ( fxp0 <gw_upcasync_ip>) inet proto icmp from any to any icmp-type echoreq keep state label "USER_RULE: ICMP ECHO" pass in quick on $UPC_ASYNC reply-to ( fxp0 <gw_upcasync_ip>) proto tcp from any to <ip_upcasync_subnet>port 5556 flags S/SA keep state queue (qACK,qOthersHigh) label "USER_RULE: Webinterface remote access" pass in quick on $UPC_ASYNC reply-to ( fxp0 <gw_upcasync_ip>) proto tcp from any to <ip_upcasync_subnet>port 65002 flags S/SA keep state queue (qACK,qOthersHigh) label "USER_RULE: SSH access" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 587 label "USER_RULE: NAT 587 mx_aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to <1st_ip_AON_SUBNET> port 5556 flags S/SA keep state label "USER_RULE: Webinterface remote access" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to <1st_ip_AON_SUBNET> port 65002 flags S/SA keep state label "USER_RULE: SSH remote access" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) inet proto icmp from any to <1st_ip_AON_SUBNET> icmp-type echoreq keep state label "USER_RULE: ECHO" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) inet proto icmp from any to any icmp-type echorep keep state label "USER_RULE: ECHO REPLY" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto { tcp udp } from any to <1st_ip_AON_SUBNET> port 12002 keep state label "USER_RULE: OpenVPN Tech wizard rules." pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto udp from ! $CEN_LAN to <1st_ip_AON_SUBNET> port 1194 keep state label "USER_RULE: OpenVPN Mitarbeiter" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 25 label "USER_RULE: NAT SMTP mx_aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 465 label "USER_RULE: NAT SMTPS mx_aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 465 label "USER_RULE: NAT SMTPS mx2" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 25 label "USER_RULE: NAT SMTP mx2" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 587 label "USER_RULE: NAT 587 mx2" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 5729 label "USER_RULE: NAT UAL Scalix aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 5767 label "USER_RULE: NAT UALS Scalix aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 993 flags S/SA keep state ( max-src-states 20 max-src-conn-rate 30 /2, overload <virusprot>flush global ) label "USER_RULE: NAT IMAPS Scalix aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 443 flags S/SA keep state ( max-src-states 20 max-src-conn-rate 10 /2, overload <virusprot>flush global ) label "USER_RULE: NAT HTTPS Scalix aon" pass in quick on $AON reply-to ( em0 <gw_aon_ip>) proto tcp from any to 192.168.222.2 port 80 flags S/SA keep state ( max-src-states 20 max-src-conn-rate 10 /2, overload <virusprot>flush global ) label "USER_RULE: NAT HTTP Scalix aon" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $akjfdb keep state label "USER_RULE" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $Maint keep state label "USER_RULE: Maint Debian" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $mailserver keep state label "USER_RULE" block in quick on $OpenVPN proto udp from any to any port 161 label "USER_RULE: SNMP queries to silence fw log" pass in quick on $OpenVPN proto { tcp udp } from any to any port 3389 keep state label "USER_RULE" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $mssql port $SQL keep state queue (qUltraHigh,qACK) label "USER_RULE: mssql" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $mssql port $Avira keep state label "USER_RULE: Avira Server" pass in quick on $OpenVPN proto { tcp udp } from $mssql port $Avira to any keep state label "USER_RULE: Avira Server" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $mssql port $samba keep state queue (qACK,qOthersHigh) label "USER_RULE: mssql smb" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $storage1 port $samba keep state queue (qACK,qOthersHigh) label "USER_RULE: Storage" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to any port 53 keep state queue (qACK,qDefault) label "USER_RULE: DNS" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to any port 123 keep state label "USER_RULE: NTP" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $Printer keep state label "USER_RULE: Printer" pass in quick on $OpenVPN inet proto icmp from $OpenVPNEmployes to any icmp-type echoreq keep state label "USER_RULE: ICMP ECHO" pass in quick on $OpenVPN proto { tcp udp } from $OpenVPNEmployes to $Backup1 port $samba keep state label "USER_RULE: Backup1 Samba" pass in quick on $OpenVPN proto tcp from $OpenVPNEmployes to $Backup1 port 80 flags S/SA keep state label "USER_RULE: Backup1 HTTP" pass in quick on $OpenVPN proto tcp from $OpenVPNEmployes to $Backup1 port 443 flags S/SA keep state label "USER_RULE: Backup1 HTTPS" pass in quick on $OpenVPN from $Maxnet to any keep state queue (qACK,qOthersLow) label "USER_RULE: OpenVPN Tech wizard rules." pass in quick on $LAN from 192.168.0.239 to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWGW_UPC from 192.168.0.239 to any keep state label "USER_RULE: temp storage" block in quick on $LAN proto tcp from any to any port 5223 label "USER_RULE: iPhonedreck" block in quick on $LAN proto { tcp udp } from $mssql to 229.111.112.12 port 3071 label "USER_RULE: Silence MSM" block in quick on $LAN proto udp from any to any port 1900 label "USER_RULE: Silence MSN Messenger Broadcast" block in quick on $LAN proto { tcp udp } from any to any port 3544 label "USER_RULE: Silence ipv6 tunneling" block in quick on $LAN proto udp from 192.168.0.0/24 to any port 3478 label "USER_RULE: Silence STUN" block in quick on $LAN proto { tcp udp } from $CEN_LAN to <1st_ip_AON_SUBNET> port 1194 label "USER_RULE: Silence Lan -> OpenVPN Port AON" pass in quick on $LAN proto udp from any to 255.255.255.255 port 161 keep state label "USER_RULE: SNMP" pass in quick on $LAN proto udp from any to 255.255.255.255 port 10260 keep state label "USER_RULE: Axis Annoyance" pass in quick on $LAN proto udp from any to 192.168.0.0/24 port 10260 keep state label "USER_RULE: Axis Annoyance Lan" pass in quick on $LAN proto tcp from any to 192.168.0.3 port 65002 flags S/SA keep state label "USER_RULE: SSH access" pass in quick on $LAN proto udp from any to 255.255.255.255 port 3490 keep state label "USER_RULE: Colubris Management" pass in quick on $LAN proto udp from any to $CEN_LAN port 3490 keep state label "USER_RULE: Colubris Management" pass in quick on $LAN proto udp from any to 255.255.255.255 port 1800 keep state label "USER_RULE: Colubris" pass in quick on $LAN proto udp from any to $CEN_LAN port 1800 keep state label "USER_RULE: Colubris" pass in quick on $LAN proto udp from 192.168.0.20 to any port 427 keep state label "USER_RULE: esx 427" pass in quick on $LAN proto udp from any to 192.168.0.255 port 138 keep state label "USER_RULE: 138 Multicast" pass in quick on $LAN proto udp from any to 192.168.0.255 port 137 keep state label "USER_RULE: 137 Multicast" pass in quick on $LAN from any to 192.168.100.0/24 keep state label "USER_RULE: 192.168.100.0" pass in quick on $LAN from any to 192.168.1.1/24 keep state label "USER_RULE: 192.168.1.1" pass in quick on $LAN inet proto icmp from $CEN_LAN to any icmp-type echoreq keep state label "USER_RULE: ICMP ECHO" pass in quick on $LAN inet proto icmp from $CEN_LAN to any icmp-type echorep keep state label "USER_RULE: ICMP ECHO REPLY" pass in quick on $LAN proto tcp from $CEN_LAN to any port 5556 flags S/SA keep state label "USER_RULE: Webinterface" pass in quick on $LAN proto udp from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto udp from $CEN_LAN to any port 53 keep state label "USER_RULE: DNS" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 80 flags S/SA keep state label "USER_RULE: HTTP" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 143 flags S/SA keep state label "USER_RULE: IMAP" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 993 flags S/SA keep state label "USER_RULE: IMAPS" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 110 flags S/SA keep state label "USER_RULE: POP3" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 995 flags S/SA keep state label "USER_RULE: POP3S" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 25 flags S/SA keep state label "USER_RULE: SMTP" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 465 flags S/SA keep state label "USER_RULE: SMTPS" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 587 flags S/SA keep state label "USER_RULE: SMTP TLS" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 443 flags S/SA keep state label "USER_RULE: HTTPS" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 8080 flags S/SA keep state label "USER_RULE: HTTP 8080" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 8008 flags S/SA keep state label "USER_RULE: HTTP 8008" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 21 flags S/SA keep state label "USER_RULE: FTP" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 22 flags S/SA keep state label "USER_RULE: SSH" pass in quick on $LAN proto tcp from $CEN_LAN to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto tcp from $CEN_LAN to any port 23 flags S/SA keep state label "USER_RULE: Telnet" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto { tcp udp } from $CEN_LAN to any port 8000 keep state label "USER_RULE: Webradio 1" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto { tcp udp } from $CEN_LAN to any port 6666 keep state label "USER_RULE: Webradio 2" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto { tcp udp } from $CEN_LAN to any port 1935 keep state label "USER_RULE: Webradio 3" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto { tcp udp } from $CEN_LAN to any port 2683 keep state label "USER_RULE: ELBA 1" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to any port 6128 keep state label "USER_RULE: DAMEWARE" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto { tcp udp } from $CEN_LAN to any port 5900 keep state label "USER_RULE: VNC" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto { tcp udp } from $CEN_LAN to any port 3048 keep state label "USER_RULE: ELBA 2" pass in quick on $LAN proto udp from $CEN_LAN to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWLoadBalance proto udp from $CEN_LAN to any port 123 keep state label "USER_RULE: NTP" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to $OpenVPNEmployes port 7030 keep state label "USER_RULE: Avira Server --> OpenVPN" pass in quick on $LAN proto { tcp udp } from $CEN_LAN to $OpenVPNEmployes port 136 >< 140 keep state label "USER_RULE: smb --> OpenVPN" pass in quick on $LAN from any to $RemoteSites keep state label "USER_RULE: LAN -> RemoteSites" pass in quick on $LAN from any to $OpenVPNEmployes keep state label "USER_RULE: LAN -> OpenVPN Mitarbeiter" pass in log quick on $IPsec proto tcp from any to $Maxnet flags S/SA keep state label "USER_RULE" block in quick on $IPsec proto udp from any to 192.168.0.3 port 10260 label "USER_RULE: Axis Annoyance" pass in quick on $IPsec proto { tcp udp } from any to $mssql port $SQL keep state queue (qUltraHigh,qACK) label "USER_RULE: MSSQL" pass in quick on $IPsec proto { tcp udp } from $RemoteSites to $mssql port $Avira keep state label "USER_RULE: Avira Server" pass in quick on $IPsec proto { tcp udp } from $RemoteSites to $Maint keep state label "USER_RULE: maintdeb" pass in quick on $IPsec proto { tcp udp } from any port $Avira to $RemoteSites keep state label "USER_RULE: Avira Server" pass in quick on $IPsec proto { tcp udp } from any to $storage1 port $samba keep state queue (qACK,qOthersHigh) label "USER_RULE: Storage" pass in quick on $IPsec proto { tcp udp } from any to 192.168.0.121 port $samba keep state queue (qACK,qDefault) label "USER_RULE: ChristinePC Scan Freigabe" pass in quick on $IPsec proto { tcp udp } from any to any port 53 keep state queue (qACK,qDefault) label "USER_RULE: DNS" pass in quick on $IPsec proto { tcp udp } from any to any port 123 keep state label "USER_RULE: NTP" pass in quick on $IPsec proto { tcp udp } from any to $mailserver keep state queue (qACK,qOthersHigh) label "USER_RULE: mailserver" pass in quick on $IPsec inet proto icmp from any to any icmp-type echoreq keep state label "USER_RULE: ICMP ECHO" pass in quick on $IPsec inet proto icmp from any to any icmp-type echorep keep state label "USER_RULE: ICMP ECHO REPLY" pass in quick on $IPsec proto { tcp udp } from any to $mssql port $samba keep state queue (qACK,qOthersHigh) label "USER_RULE: WinSRV1 Samba" pass in quick on $IPsec proto { tcp udp } from any to $Backup1 port $samba keep state queue (qACK,qDefault) label "USER_RULE: Backup1 Samba" pass in quick on $IPsec proto tcp from any to $Backup1 port 80 flags S/SA keep state label "USER_RULE: Backup1 HTTP" pass in quick on $IPsec proto tcp from any to $Backup1 port 443 flags S/SA keep state label "USER_RULE: Backup1 HTTPS" pass in quick on $IPsec proto { tcp udp } from any to $Printer keep state queue (qACK,qDefault) label "USER_RULE: Printer Front" # VPN Rules pass out on $AON route-to ( em0 <gw_aon_ip>) proto udp from any to <remotesite2_wanip>port = 500 keep state label \"IPsec: REMOTESITE2 - outbound isakmp\" pass in on $AON reply-to ( em0 <gw_aon_ip>) proto udp from <remotesite2_wanip>to any port = 500 keep state label \"IPsec: REMOTESITE2 - inbound isakmp\" pass out on $AON route-to ( em0 <gw_aon_ip>) proto esp from any to <remotesite2_wanip>keep state label \"IPsec: REMOTESITE2 - outbound esp proto\" pass in on $AON reply-to ( em0 <gw_aon_ip>) proto esp from <remotesite2_wanip>to any keep state label \"IPsec: REMOTESITE2 - inbound esp proto\" pass out on $AON route-to ( em0 <gw_aon_ip>) proto udp from any to <remotesite3_wanip>port = 500 keep state label \"IPsec: REMOTESITE3 - outbound isakmp\" pass in on $AON reply-to ( em0 <gw_aon_ip>) proto udp from <remotesite3_wanip>to any port = 500 keep state label \"IPsec: REMOTESITE3 - inbound isakmp\" pass out on $AON route-to ( em0 <gw_aon_ip>) proto esp from any to <remotesite3_wanip>keep state label \"IPsec: REMOTESITE3 - outbound esp proto\" pass in on $AON reply-to ( em0 <gw_aon_ip>) proto esp from <remotesite3_wanip>to any keep state label \"IPsec: REMOTESITE3 - inbound esp proto\" pass out on $AON route-to ( em0 <gw_aon_ip>) proto udp from any to <remotesite1_wanip>port = 500 keep state label \"IPsec: REMOTESITE4 - outbound isakmp\" pass in on $AON reply-to ( em0 <gw_aon_ip>) proto udp from <remotesite1_wanip>to any port = 500 keep state label \"IPsec: REMOTESITE4 - inbound isakmp\" pass out on $AON route-to ( em0 <gw_aon_ip>) proto esp from any to <remotesite1_wanip>keep state label \"IPsec: REMOTESITE4 - outbound esp proto\" pass in on $AON reply-to ( em0 <gw_aon_ip>) proto esp from <remotesite1_wanip>to any keep state label \"IPsec: REMOTESITE4 - inbound esp proto\" # package manager late specific hook anchor "packagelate" anchor "tftp-proxy/*" anchor "limitingesr" # uPnPd anchor "miniupnpd"</remotesite1_wanip></gw_aon_ip></remotesite1_wanip></gw_aon_ip></remotesite1_wanip></gw_aon_ip></remotesite1_wanip></gw_aon_ip></remotesite3_wanip></gw_aon_ip></remotesite3_wanip></gw_aon_ip></remotesite3_wanip></gw_aon_ip></remotesite3_wanip></gw_aon_ip></remotesite2_wanip></gw_aon_ip></remotesite2_wanip></gw_aon_ip></remotesite2_wanip></gw_aon_ip></remotesite2_wanip></gw_aon_ip></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></virusprot></gw_aon_ip></virusprot></gw_aon_ip></virusprot></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></gw_aon_ip></ip_upcasync_subnet></gw_upcasync_ip></ip_upcasync_subnet></gw_upcasync_ip></gw_upcasync_ip></gw_upcasync_ip></gw_upcasync_ip></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></vpns></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></gw_upc_ip></backuphost_ip></backuphost_ip></backuphost_ip></upcasync_network></ip_upcasync_subnet></gw_upcasync_ip></aonif_network></gw_aon_ip></upcif_network></gw_upc_ip></bogons></bogons></bogons></bogons></virusprot></sshlockout></snort2c></snort2c></upcasync_network></aonif_network></upcif_network></direct_networks></vpns></ip_upcasync_subnet></ip_upcasync_subnet></backuphost_ip></backuphost_ip></ip_upcasync_subnet></ip_upcasync_subnet></backuphost_ip></gw_upc_ip></gw_upcasync_ip></gw_upcasync_ip></gw_aon_ip></gw_upc_ip></winsrv1></winsrv1></uul_lan></uul_lan></storage1></storage1></openvpntech></openvpntech></openvpnemployes></openvpnemployes></mx_upc></mx_upc></mssql></mssql></maxnet></maxnet></maint></maint></mailserver></mailserver></cen_lan></cen_lan></printer></printer></backup1></backup1></remotesites></remotesites></akjfdb></akjfdb></virusprot></snort2c></sshlockout> -
BTW: reading a bit over my posted log I noticed some entries for snort. I once installed it, but removed it long ago.
-
anyone else getting these errors?
-
Ok I tried Sat Nov 13 21:38:35 snapshot
Same errors and some rules or gateway groups aren't working. For example I can't access any host on port 25 from my "mail" interface while ssh outgoing is fine.
Port 25 outgoing is using gatewaygroup "GWmx_failover" (see rules.debug posted above) which consists of 2 gateways on 2 different wan interfaces configured for static ips ( <gw_upc>Tier1 and <gw_aon>Tier2). Additionally it's using AON to SNAT source ips for connections originating from the "mail" interface.This was working fine till snapshot from 12th oct. (the last one I tried before upgrading to recent Nov. snapshots).
Unfortunately being in a hurry to get the mailserver online again, I forgot to grab the current rules.debug.
The rules.debug I previously posted should still apply (I hope?), although interface names differ as this is another machine (but same config)If it helps I could send you my config by mail.
Here's the system.log:
Nov 14 13:22:55 pfsense1 syslogd: kernel boot file is /boot/kernel/kernel Nov 14 13:22:55 pfsense1 kernel: Copyright (c) 1992-2010 The FreeBSD Project. Nov 14 13:22:55 pfsense1 kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Nov 14 13:22:55 pfsense1 kernel: The Regents of the University of California. All rights reserved. Nov 14 13:22:55 pfsense1 kernel: FreeBSD is a registered trademark of The FreeBSD Foundation. Nov 14 13:22:55 pfsense1 kernel: FreeBSD 8.1-RELEASE-p1 #1: Sat Nov 13 21:36:48 EST 2010 Nov 14 13:22:55 pfsense1 kernel: sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386 Nov 14 13:22:55 pfsense1 kernel: Timecounter "i8254" frequency 1193182 Hz quality 0 Nov 14 13:22:55 pfsense1 kernel: CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2793.90-MHz 686-class CPU) Nov 14 13:22:55 pfsense1 kernel: Origin = "GenuineIntel" Id = 0xf29 Family = f Model = 2 Stepping = 9 Nov 14 13:22:55 pfsense1 kernel: Features=0xbfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Nov 14 13:22:55 pfsense1 kernel: Features2=0x4400 <cnxt-id,xtpr>Nov 14 13:22:55 pfsense1 kernel: real memory = 3221225472 (3072 MB) Nov 14 13:22:55 pfsense1 kernel: avail memory = 3141349376 (2995 MB) Nov 14 13:22:55 pfsense1 kernel: ACPI APIC Table: <ibm ="" seronyxp="">Nov 14 13:22:55 pfsense1 kernel: FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs Nov 14 13:22:55 pfsense1 kernel: FreeBSD/SMP: 2 package(s) x 1 core(s) x 2 HTT threads Nov 14 13:22:55 pfsense1 kernel: cpu0 (BSP): APIC ID: 0 Nov 14 13:22:55 pfsense1 kernel: cpu1 (AP/HT): APIC ID: 1 Nov 14 13:22:55 pfsense1 kernel: cpu2 (AP): APIC ID: 6 Nov 14 13:22:55 pfsense1 kernel: cpu3 (AP/HT): APIC ID: 7 Nov 14 13:22:55 pfsense1 kernel: MADT: Forcing active-low polarity and level trigger for SCI Nov 14 13:22:55 pfsense1 kernel: ioapic2 <version 1.1="">irqs 32-47 on motherboard Nov 14 13:22:55 pfsense1 kernel: ioapic1 <version 1.1="">irqs 16-31 on motherboard Nov 14 13:22:55 pfsense1 kernel: ioapic0 <version 1.1="">irqs 0-15 on motherboard Nov 14 13:22:55 pfsense1 kernel: ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. Nov 14 13:22:55 pfsense1 kernel: ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. Nov 14 13:22:55 pfsense1 kernel: module_register_init: MOD_LOAD (ipw_bss_fw, 0xc075aa40, 0) error 1 Nov 14 13:22:55 pfsense1 kernel: ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. Nov 14 13:22:55 pfsense1 kernel: ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. Nov 14 13:22:55 pfsense1 kernel: module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc075ab00, 0) error 1 Nov 14 13:22:55 pfsense1 kernel: wlan: mac acl policy registered Nov 14 13:22:55 pfsense1 kernel: ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/. Nov 14 13:22:55 pfsense1 kernel: ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf. Nov 14 13:22:55 pfsense1 kernel: module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc075abc0, 0) error 1 Nov 14 13:22:55 pfsense1 kernel: wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/. Nov 14 13:22:55 pfsense1 kernel: wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf. Nov 14 13:22:55 pfsense1 kernel: module_register_init: MOD_LOAD (wpi_fw, 0xc094f730, 0) error 1 Nov 14 13:22:55 pfsense1 kernel: kbd1 at kbdmux0 Nov 14 13:22:55 pfsense1 kernel: cryptosoft0: <software crypto="">on motherboard Nov 14 13:22:55 pfsense1 kernel: padlock0: No ACE support. Nov 14 13:22:55 pfsense1 kernel: acpi0: <ibm seronyxp="">on motherboard Nov 14 13:22:55 pfsense1 kernel: acpi0: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: acpi0: Power Button (fixed) Nov 14 13:22:55 pfsense1 kernel: acpi0: reservation of 460, 2 (4) failed Nov 14 13:22:55 pfsense1 kernel: Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 Nov 14 13:22:55 pfsense1 kernel: acpi_timer0: <32-bit timer at 3.579545MHz> port 0x488-0x48b on acpi0 Nov 14 13:22:55 pfsense1 kernel: cpu0: <acpi cpu="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: cpu1: <acpi cpu="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: cpu2: <acpi cpu="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: cpu3: <acpi cpu="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: pcib0: <acpi host-pci="" bridge="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: pci0: <acpi pci="" bus="">on pcib0 Nov 14 13:22:55 pfsense1 kernel: vgapci0: <vga-compatible display="">port 0x2400-0x24ff mem 0xf0000000-0xf7ffffff,0xfebf0000-0xfebfffff irq 24 at device 5.0 on pci0 Nov 14 13:22:55 pfsense1 kernel: atapci0: <serverworks csb5="" udma100="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x700-0x70f at device 15.1 on pci0 Nov 14 13:22:55 pfsense1 kernel: ata0: <ata 0="" channel="">on atapci0 Nov 14 13:22:55 pfsense1 kernel: ata0: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: ata1: <ata 1="" channel="">on atapci0 Nov 14 13:22:55 pfsense1 kernel: ata1: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: ohci0: <ohci (generic)="" usb="" controller="">mem 0xfebef000-0xfebeffff irq 11 at device 15.2 on pci0 Nov 14 13:22:55 pfsense1 kernel: ohci0: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: usbus0: <ohci (generic)="" usb="" controller="">on ohci0 Nov 14 13:22:55 pfsense1 kernel: isab0: <pci-isa bridge="">at device 15.3 on pci0 Nov 14 13:22:55 pfsense1 kernel: isa0: <isa bus="">on isab0 Nov 14 13:22:55 pfsense1 kernel: pcib1: <acpi host-pci="" bridge="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: pci2: <acpi pci="" bus="">on pcib1 Nov 14 13:22:55 pfsense1 kernel: pcib2: <acpi host-pci="" bridge="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: pci4: <acpi pci="" bus="">on pcib2 Nov 14 13:22:55 pfsense1 kernel: pcib3: <pci-pci bridge="">at device 4.0 on pci4 Nov 14 13:22:55 pfsense1 kernel: pci5: <pci bus="">on pcib3 Nov 14 13:22:55 pfsense1 kernel: fxp0: <intel 100="" 82550="" pro="" ethernet="">port 0x3000-0x303f mem 0xef040000-0xef040fff,0xef000000-0xef01ffff irq 22 at device 4.0 on pci5 Nov 14 13:22:55 pfsense1 kernel: miibus0: <mii bus="">on fxp0 Nov 14 13:22:55 pfsense1 kernel: inphy0: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus0 Nov 14 13:22:55 pfsense1 kernel: inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Nov 14 13:22:55 pfsense1 kernel: fxp0: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: fxp1: <intel 100="" 82550="" pro="" ethernet="">port 0x3040-0x307f mem 0xef041000-0xef041fff,0xef020000-0xef03ffff irq 23 at device 5.0 on pci5 Nov 14 13:22:55 pfsense1 kernel: miibus1: <mii bus="">on fxp1 Nov 14 13:22:55 pfsense1 kernel: inphy1: <i82555 10="" 100="" media="" interface="">PHY 1 on miibus1 Nov 14 13:22:55 pfsense1 kernel: inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto Nov 14 13:22:55 pfsense1 kernel: fxp1: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: pcib4: <acpi host-pci="" bridge="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: pci6: <acpi pci="" bus="">on pcib4 Nov 14 13:22:55 pfsense1 kernel: em0: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.2="">port 0x4000-0x403f mem 0xecfe0000-0xecffffff irq 16 at device 1.0 on pci6 Nov 14 13:22:55 pfsense1 kernel: em0: [FILTER] Nov 14 13:22:55 pfsense1 kernel: em1: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.2="">port 0x4040-0x407f mem 0xecfc0000-0xecfdffff irq 17 at device 1.1 on pci6 Nov 14 13:22:55 pfsense1 kernel: em1: [FILTER] Nov 14 13:22:55 pfsense1 kernel: em2: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.2="">port 0x4080-0x40bf mem 0xecfa0000-0xecfbffff irq 29 at device 8.0 on pci6 Nov 14 13:22:55 pfsense1 kernel: em2: [FILTER] Nov 14 13:22:55 pfsense1 kernel: em3: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.2="">port 0x40c0-0x40ff mem 0xecf80000-0xecf9ffff irq 30 at device 8.1 on pci6 Nov 14 13:22:55 pfsense1 kernel: em3: [FILTER] Nov 14 13:22:55 pfsense1 kernel: pcib5: <acpi host-pci="" bridge="">on acpi0 Nov 14 13:22:55 pfsense1 kernel: pci8: <acpi pci="" bus="">on pcib5 Nov 14 13:22:55 pfsense1 kernel: ips0: <ibm serveraid="" adapter="">mem 0xe4000000-0xe7ffffff irq 18 at device 2.0 on pci8 Nov 14 13:22:55 pfsense1 kernel: ips0: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: fdc0: <floppy drive="" controller="">port 0x3f0-0x3f5 irq 6 drq 2 on acpi0 Nov 14 13:22:55 pfsense1 kernel: fdc0: [FILTER] Nov 14 13:22:55 pfsense1 kernel: fd0: <1440-KB 3.5" drive> on fdc0 drive 0 Nov 14 13:22:55 pfsense1 kernel: uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 Nov 14 13:22:55 pfsense1 kernel: uart0: [FILTER] Nov 14 13:22:55 pfsense1 kernel: atrtc0: <at realtime="" clock="">port 0x70-0x73 irq 8 on acpi0 Nov 14 13:22:55 pfsense1 kernel: pmtimer0 on isa0 Nov 14 13:22:55 pfsense1 kernel: orm0: <isa option="" roms="">at iomem 0xc0000-0xcafff,0xcb000-0xce7ff,0xce800-0xcffff,0xd0000-0xd17ff pnpid ORM0000 on isa0 Nov 14 13:22:55 pfsense1 kernel: sc0: <system console="">at flags 0x100 on isa0 Nov 14 13:22:55 pfsense1 kernel: sc0: VGA <16 virtual consoles, flags=0x300> Nov 14 13:22:55 pfsense1 kernel: vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Nov 14 13:22:55 pfsense1 kernel: atkbdc0: <keyboard controller="" (i8042)="">at port 0x60,0x64 on isa0 Nov 14 13:22:55 pfsense1 kernel: atkbd0: <at keyboard="">irq 1 on atkbdc0 Nov 14 13:22:55 pfsense1 kernel: kbd0 at atkbd0 Nov 14 13:22:55 pfsense1 kernel: atkbd0: [GIANT-LOCKED] Nov 14 13:22:55 pfsense1 kernel: atkbd0: [ITHREAD] Nov 14 13:22:55 pfsense1 kernel: ppc0: parallel port not found. Nov 14 13:22:55 pfsense1 kernel: p4tcc0: <cpu frequency="" thermal="" control="">on cpu0 Nov 14 13:22:55 pfsense1 kernel: p4tcc1: <cpu frequency="" thermal="" control="">on cpu1 Nov 14 13:22:55 pfsense1 kernel: p4tcc2: <cpu frequency="" thermal="" control="">on cpu2 Nov 14 13:22:55 pfsense1 kernel: p4tcc3: <cpu frequency="" thermal="" control="">on cpu3 Nov 14 13:22:55 pfsense1 kernel: Timecounters tick every 1.000 msec Nov 14 13:22:55 pfsense1 kernel: IPsec: Initialized Security Association Processing. Nov 14 13:22:55 pfsense1 kernel: usbus0: 12Mbps Full Speed USB v1.0 Nov 14 13:22:55 pfsense1 kernel: ugen0.1: <(0x1166)> at usbus0 Nov 14 13:22:55 pfsense1 kernel: uhub0: <(0x1166) OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0 Nov 14 13:22:55 pfsense1 kernel: acd0: CDROM <lg cd-rom="" crn-8245b="" 1.16="">at ata0-master UDMA33 Nov 14 13:22:55 pfsense1 kernel: ips0: resetting adapter, this may take up to 5 minutes Nov 14 13:22:55 pfsense1 kernel: ips0: adapter type: ServeRAID 5i II (sarasota) Nov 14 13:22:55 pfsense1 kernel: ips0: logical drives: 1 Nov 14 13:22:55 pfsense1 kernel: ips0: Logical Drive 0: RAID1 sectors: 106641408, state OK Nov 14 13:22:55 pfsense1 kernel: ipsd0: <logical drive="">on ips0 Nov 14 13:22:55 pfsense1 kernel: ipsd0: Logical Drive (52071MB) Nov 14 13:22:55 pfsense1 kernel: SMP: AP CPU #2 Launched! Nov 14 13:22:55 pfsense1 kernel: SMP: AP CPU #1 Launched! Nov 14 13:22:55 pfsense1 kernel: SMP: AP CPU #3 Launched! Nov 14 13:22:55 pfsense1 kernel: uhub0: 4 ports with 4 removable, self powered Nov 14 13:22:55 pfsense1 kernel: ugen0.2: <ibm>at usbus0 Nov 14 13:22:55 pfsense1 kernel: ukbd0: <hid kb="">on usbus0 Nov 14 13:22:55 pfsense1 kernel: kbd2 at ukbd0 Nov 14 13:22:55 pfsense1 kernel: ums0: <hid ms="">on usbus0 Nov 14 13:22:55 pfsense1 kernel: ums0: 3 buttons and [Z] coordinates ID=0 Nov 14 13:22:55 pfsense1 kernel: uhid0: <hid sys="">on usbus0 Nov 14 13:22:55 pfsense1 kernel: Trying to mount root from ufs:/dev/ipsd0s1a Nov 14 13:22:55 pfsense1 check_reload_status: reloading filter Nov 14 13:22:55 pfsense1 check_reload_status: reloading filter Nov 14 13:22:55 pfsense1 kernel: pflog0: promiscuous mode enabled Nov 14 13:22:56 pfsense1 php: : Gateways status could not be determined, considering all as up/active. Nov 14 13:22:56 pfsense1 php: : Gateways status could not be determined, considering all as up/active. Nov 14 13:22:56 pfsense1 check_reload_status: Linkup starting em1 Nov 14 13:22:56 pfsense1 kernel: vip2: INIT -> BACKUP Nov 14 13:22:56 pfsense1 kernel: vip3: INIT -> BACKUP Nov 14 13:22:56 pfsense1 kernel: em1: link state changed to UP Nov 14 13:22:56 pfsense1 kernel: vip2: 2 link states coalesced Nov 14 13:22:56 pfsense1 kernel: vip2: link state changed to DOWN Nov 14 13:22:56 pfsense1 kernel: vip3: 2 link states coalesced Nov 14 13:22:56 pfsense1 kernel: vip3: link state changed to DOWN Nov 14 13:22:56 pfsense1 check_reload_status: Linkup starting em0 Nov 14 13:22:56 pfsense1 kernel: em0: link state changed to UP Nov 14 13:22:56 pfsense1 php: : Gateways status could not be determined, considering all as up/active. Nov 14 13:22:57 pfsense1 last message repeated 3 times Nov 14 13:22:57 pfsense1 check_reload_status: Linkup starting em2 Nov 14 13:22:57 pfsense1 kernel: em2: link state changed to UP Nov 14 13:22:57 pfsense1 kernel: em2_vlan16: link state changed to UP Nov 14 13:22:57 pfsense1 kernel: em2_vlan8: link state changed to UP Nov 14 13:22:57 pfsense1 check_reload_status: Linkup starting em3 Nov 14 13:22:57 pfsense1 kernel: vip1: INIT -> BACKUP Nov 14 13:22:57 pfsense1 kernel: em3: link state changed to UP Nov 14 13:22:57 pfsense1 kernel: vip1: 2 link states coalesced Nov 14 13:22:57 pfsense1 kernel: vip1: link state changed to DOWN Nov 14 13:22:57 pfsense1 php: : Gateways status could not be determined, considering all as up/active. Nov 14 13:22:57 pfsense1 last message repeated 3 times Nov 14 13:22:59 pfsense1 kernel: vip2: link state changed to UP Nov 14 13:22:59 pfsense1 kernel: vip3: link state changed to UP Nov 14 13:22:59 pfsense1 php: : The command '/usr/local/sbin/relayd -f /var/etc/relayd.conf' returned exit code '1', the output was '/var/etc/relayd.conf:3: syntax error no redirections, nothing to do' Nov 14 13:22:59 pfsense1 php: : Removing static route for monitor 80.120.17.70 and adding a new route through <gw_aon_ip>Nov 14 13:22:59 pfsense1 apinger: Starting Alarm Pinger, apinger(50714) Nov 14 13:23:00 pfsense1 kernel: vip1: link state changed to UP Nov 14 13:23:00 pfsense1 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'pfctl: DIOCADDRULE: Device busy' Nov 14 13:23:00 pfsense1 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'pfctl: DIOCADDRULE: Device busy' Nov 14 13:23:01 pfsense1 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy The line in question reads [ DIOCADDRULE]: Nov 14 13:23:01 pfsense1 php: : There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [ DIOCADDRULE]: Nov 14 13:23:03 pfsense1 apinger: ALARM: UPC_GW_ASYNC(<gw_upcasync_ip>) *** UPC_GW_ASYNCdown *** Nov 14 13:23:08 pfsense1 php: : ROUTING: add default route to <gw_upc_ip>Nov 14 13:23:09 pfsense1 dhcpd: Internet Systems Consortium DHCP Server 4.1.1-P1 Nov 14 13:23:09 pfsense1 dhcpd: Copyright 2004-2010 Internet Systems Consortium. Nov 14 13:23:09 pfsense1 dhcpd: All rights reserved. Nov 14 13:23:09 pfsense1 dhcpd: For info, please visit https://www.isc.org/software/dhcp/ Nov 14 13:23:09 pfsense1 dnsmasq[53490]: started, version 2.55 cachesize 10000 Nov 14 13:23:09 pfsense1 dnsmasq[53490]: compile time options: no-IPv6 GNU-getopt no-DBus I18N DHCP TFTP Nov 14 13:23:09 pfsense1 check_reload_status: updating all dyndns Nov 14 13:23:09 pfsense1 dnsmasq[53490]: reading /etc/resolv.conf Nov 14 13:23:09 pfsense1 dnsmasq[53490]: using nameserver 80.120.17.70#53 Nov 14 13:23:09 pfsense1 dnsmasq[53490]: using nameserver 213.33.99.70#53 Nov 14 13:23:09 pfsense1 dnsmasq[53490]: using nameserver 195.58.161.122#53 Nov 14 13:23:09 pfsense1 dnsmasq[53490]: using nameserver 195.58.160.194#53 Nov 14 13:23:09 pfsense1 dnsmasq[53490]: read /etc/hosts - 46 addresses Nov 14 13:23:10 pfsense1 php: : IPSEC interface is not WAN but opt1, adding static route for VPN endpoint <ipsec_endpoint1_ip>via <gw_aon_ip>Nov 14 13:23:10 pfsense1 php: : The command '/sbin/route delete -host <ipsec_endpoint1_ip>' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host <ipsec_endpoint1_ip>: not in table' Nov 14 13:23:10 pfsense1 php: : IPSEC interface is not WAN but opt1, adding static route for VPN endpoint <ipsec_endpoint2_ip>via <gw_aon_ip>Nov 14 13:23:10 pfsense1 php: : The command '/sbin/route delete -host <ipsec_endpoint2_ip>' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host <ipsec_endpoint2_ip>: not in table' Nov 14 13:23:10 pfsense1 php: : IPSEC interface is not WAN but opt1, adding static route for VPN endpoint <ipsec_endpoint3_ip>via <gw_aon_ip>Nov 14 13:23:10 pfsense1 php: : The command '/sbin/route delete -host <ipsec_endpoint3_ip>' returned exit code '1', the output was 'route: writing to routing socket: No such process delete host <ipsec_endpoint3_ip>: not in table' Nov 14 13:23:10 pfsense1 php: : IPSEC interface is not WAN but opt1, adding static route for VPN endpoint <ipsec_endpoint1_ip>via <gw_aon_ip>Nov 14 13:23:10 pfsense1 php: : IPSEC interface is not WAN but opt1, adding static route for VPN endpoint <ipsec_endpoint2_ip>via <gw_aon_ip>Nov 14 13:23:10 pfsense1 php: : IPSEC interface is not WAN but opt1, adding static route for VPN endpoint <ipsec_endpoint3_ip>via <gw_aon_ip>Nov 14 13:23:12 pfsense1 php: : MONITOR: UPC_GW_ASYNC has high latency, removing from routing group Nov 14 13:23:13 pfsense1 check_reload_status: reloading filter Nov 14 13:23:14 pfsense1 php: : MONITOR: UPC_GW_ASYNC has high latency, removing from routing group Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/wan-queues.rrd -t :wan:qACK:qDefault:qOthersHigh:qOthersLow N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/wan-queuedrops.rrd -t :wan:qACK:qDefault:qOthersHigh:qOthersLow N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/lan-queues.rrd -t :lan:qInternet:qACK:qDefault:qOthersHigh:qOthersLow:qUltraHigh N:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/lan-queuedrops.rrd -t :lan:qInternet:qACK:qDefault:qOthersHigh:qOthersLow:qUltraHigh N:U:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/opt1-queues.rrd -t :opt1:qACK:qDefault:qOthersHigh:qOthersLow:qUltraHigh N:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/opt1-queuedrops.rrd -t :opt1:qACK:qDefault:qOthersHigh:qOthersLow:qUltraHigh N:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/opt2-queues.rrd -t :opt2:qACK:qDefault:qOthersHigh:qOthersLow N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/opt2-queuedrops.rrd -t :opt2:qACK:qDefault:qOthersHigh:qOthersLow N:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/opt3-queues.rrd -t :opt3:qInternet:qACK:qDefault:qOthersHigh:qOthersLow N:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:14 pfsense1 php: : The command '/usr/bin/nice -n20 /usr/local/bin/rrdtool update /var/db/rrd/opt3-queuedrops.rrd -t :opt3:qInternet:qACK:qDefault:qOthersHigh:qOthersLow N:U:U:U:U:U:U' returned exit code '1', the output was 'ERROR: unknown DS name ''' Nov 14 13:23:15 pfsense1 php: : Creating rrd update script Nov 14 13:23:15 pfsense1 php: : Resyncing configuration for all packages. Nov 14 13:23:18 pfsense1 login: login on ttyv0 as root Nov 14 13:23:18 pfsense1 sshlockout[54463]: sshlockout v2.0 starting up Nov 14 13:23:18 pfsense1 sshlockout[54463]: sshlockout v2.0 starting up Nov 14 13:23:21 pfsense1 kernel: WARNING: pseudo-random number generator used for IPsec processing Nov 14 13:27:16 pfsense1 kernel: fxp0: link state changed to DOWN Nov 14 13:28:20 pfsense1 check_reload_status: syncing firewall Nov 14 13:28:23 pfsense1 check_reload_status: syncing firewall Nov 14 13:28:23 pfsense1 check_reload_status: reloading filter Nov 14 13:28:24 pfsense1 php: : MONITOR: UPC_GW_ASYNC has high latency, removing from routing group Nov 14 13:28:53 pfsense1 check_reload_status: syncing firewall Nov 14 13:28:56 pfsense1 check_reload_status: syncing firewall Nov 14 13:28:56 pfsense1 check_reload_status: reloading filter Nov 14 13:28:57 pfsense1 php: : MONITOR: UPC_GW_ASYNC has high latency, removing from routing group</gw_aon_ip></ipsec_endpoint3_ip></gw_aon_ip></ipsec_endpoint2_ip></gw_aon_ip></ipsec_endpoint1_ip></ipsec_endpoint3_ip></ipsec_endpoint3_ip></gw_aon_ip></ipsec_endpoint3_ip></ipsec_endpoint2_ip></ipsec_endpoint2_ip></gw_aon_ip></ipsec_endpoint2_ip></ipsec_endpoint1_ip></ipsec_endpoint1_ip></gw_aon_ip></ipsec_endpoint1_ip></gw_upc_ip></gw_upcasync_ip></gw_aon_ip></hid></hid></hid></ibm></logical></lg></cpu></cpu></cpu></cpu></at></keyboard></generic></system></isa></at></floppy></ibm></acpi></acpi></intel(r)></intel(r)></intel(r)></intel(r)></acpi></acpi></i82555></mii></intel></i82555></mii></intel></pci></pci-pci></acpi></acpi></acpi></acpi></isa></pci-isa></ohci></ohci></ata></ata></serverworks></vga-compatible></acpi></acpi></acpi></acpi></acpi></acpi></ibm></software></version></version></version></ibm></cnxt-id,xtpr></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Thank you very much!
Max</gw_aon></gw_upc>
-
Update:
Though 6th Nov. snapshot already gave me the "cannot define table bogons: Device busy pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [204]: table <bogons>persist file "/etc/bogons"" error in addition to the first "pfctl: DIOCADDRULE: Device busy The line in question reads [ DIOCADDRULE]:" which appeared for me first on Oct.12th snapshot, rules and gateways were working fine as I remember.. but I could be wrong and this second error (bogons) broke it.
Couldn't test for long because this is a production machine, but I tried to edit/save some rules and AON rules, didn't have any effect though..Is there anything else I could do?
I really don't want to stick to oct 12th ;)
Thank you very much!</bogons>
-
Does anyone know what's this all about?
Anyone else besides m4rcu5 and me having this problem?Edit: on redmine I found one follow up post regarding this error: http://redmine.pfsense.org/issues/922
-
2.0-BETA4 (i386)
built on Mon Nov 15 17:03:26 EST 2010
FreeBSD 8.1-RELEASE-p1
nanobsdI get this from time to time:
There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy The line in question reads [ DIOCADDRULE]: -
After upgrading to todays snapshot, I don't get the following error anymore:
"/tmp/rules.debug:204: cannot define table bogons: Device busy pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [204]: table <bogons>persist file "/etc/bogons"I still get the same error as Clarknova though on boot.</bogons>
-
Okay, unfortunately I got
php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:198: cannot define table bogons: Device busy pfctl: Syntax error in config file: pf rules not loaded'
4 hours after upgrading to that snapshot.
Here's the snippet from rules.debug. Line 198 is in bold:
SSH lockout
block in log quick proto tcp from <sshlockout>to any port 65002 label "sshlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
# block bogon networkshttp://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $UPC from <bogons>to any label "block bogon networks from UPC"
antispoof for em3block anything from private networks on interfaces with the option set
antispoof for $UPC
block in log quick on $UPC from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $UPC from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $UPC from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $UPC from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"$UPC is my first "WAN" interface.
I now upgraded to Sun Nov 21 02:37:38 ..</bogons></bogons></virusprot></sshlockout>
-
Any news about those DIOCADDRULE errors?
Is this something to worry about?
If someone could explain what this error is about it would be very nice to know ;)Thank you!
-
Please wait for a snapshot to come after this post and try to see if it fixes the error.
-
Using 2.0-BETA4 (amd64)
built on Mon Nov 29 23:16:42 UTC 2010Error still exists
-
Can you show me your system logs?
Possibly other info from the system? -
I'm running in a ESXi virtualized environment but from what I've read its the same error others are seeing with full installs on dedicated hardware.
Nov 29 22:55:50 kernel: VMware memory control driver initialized Nov 29 22:55:50 sshlockout[37131]: sshlockout v2.0 starting up Nov 29 22:55:50 sshlockout[37131]: sshlockout v2.0 starting up Nov 29 22:55:50 login: login on ttyv0 as root Nov 29 22:55:49 php: : Resyncing configuration for all packages. Nov 29 22:55:48 miniupnpd[21227]: Listening for NAT-PMP traffic on port 5351 Nov 29 22:55:48 miniupnpd[21227]: Listening for NAT-PMP traffic on port 5351 Nov 29 22:55:48 miniupnpd[21227]: HTTP listening on port 2189 Nov 29 22:55:48 miniupnpd[21227]: HTTP listening on port 2189 Nov 29 22:55:48 php: miniupnpd: Starting service on interface: lan Nov 29 22:55:48 php: : Creating rrd update script Nov 29 22:55:43 php: : phpDynDNS: No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry. Nov 29 22:55:43 php: : DynDns: Cached IP: xxx.xxx.xxx.xxx Nov 29 22:55:43 php: : DynDns: Current WAN IP: xxx.xxx.xxx.xxx Nov 29 22:55:43 php: : DynDns debug information: xxx.xxx.xxx.xxx extracted from local system. Nov 29 22:55:43 php: : DynDns: _checkIP() starting. Nov 29 22:55:43 php: : DynDns: _detectChange() starting. Nov 29 22:55:43 php: : DynDns: updatedns() starting Nov 29 22:55:43 php: : DynDns: Running updatedns() Nov 29 22:55:43 dnsmasq[56517]: read /etc/hosts - 2 addresses Nov 29 22:55:43 dnsmasq[56517]: using nameserver xxx.xxx.xxx.xxx#53 Nov 29 22:55:43 dnsmasq[56517]: using nameserver xxx.xxx.xxx.xxx#53 Nov 29 22:55:43 dnsmasq[56517]: reading /etc/resolv.conf Nov 29 22:55:43 check_reload_status: updating all dyndns Nov 29 22:55:43 dnsmasq[56517]: compile time options: IPv6 GNU-getopt no-DBus I18N DHCP TFTP Nov 29 22:55:43 dnsmasq[56517]: started, version 2.55 cachesize 10000 Nov 29 22:55:42 dhcpd: For info, please visit https://www.isc.org/software/dhcp/ Nov 29 22:55:42 dhcpd: All rights reserved. Nov 29 22:55:42 dhcpd: Copyright 2004-2010 Internet Systems Consortium. Nov 29 22:55:42 dhcpd: Internet Systems Consortium DHCP Server 4.1.1-P1 Nov 29 22:55:41 php: : ROUTING: change default route to xxx.xxx.xxx.xxx Nov 29 22:55:41 check_reload_status: reloading filter Nov 29 22:55:40 kernel: ovpnc3: link state changed to UP Nov 29 22:55:38 apinger: Starting Alarm Pinger, apinger(25355) Nov 29 22:55:38 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'pfctl: DIOCADDRULE: Device busy' Nov 29 22:55:37 apinger: Exiting on signal 15. Nov 29 22:55:37 php: : There were error(s) loading the rules: pfctl: Duplicate signature for AIX 4.3 : File exists pfctl: Duplicate signature for AIX 4.3 : File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4 Nov 29 22:55:37 php: : New alert found: There were error(s) loading the rules: pfctl: Duplicate signature for AIX 4.3 : File exists pfctl: Duplicate signature for AIX 4.3 : File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate si Nov 29 22:55:37 php: : There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy - The line in question reads [ DIOCADDRULE]: Nov 29 22:55:37 php: : New alert found: There were error(s) loading the rules: pfctl: DIOCADDRULE: Device busy The line in question reads [ DIOCADDRULE]: Nov 29 22:55:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'pfctl: Duplicate signature for AIX 4.3 : File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AI Nov 29 22:55:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'pfctl: Duplicate signature for AIX 4.3 : File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 2: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 2-3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 5.1 : File exists pfctl: Duplicate signature for AIX 5.2 : File exists pfctl: Duplicate signature for AIX 5.1-5.2 : File exists pfctl: Duplicate signature for AIX 4.3 3: File exists pfctl: Duplicate signature for AI Nov 29 22:55:37 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:59: cannot define table direct_networks: Device busy /tmp/rules.debug:85: cannot define table bogons: Device busy pfctl: Syntax error in config file: pf rules not loaded' Nov 29 22:55:37 inetd[59970]: Accessing /var/etc/inetd.conf: No such file or directory, continuing anyway. Nov 29 22:55:37 inetd[59970]: Accessing /var/etc/inetd.conf: No such file or directory, continuing anyway. Nov 29 22:55:36 apinger: Starting Alarm Pinger, apinger(35530) Nov 29 22:55:36 kernel: pflog0: promiscuous mode enabled Nov 29 22:55:36 check_reload_status: reloading filter Nov 29 22:55:36 check_reload_status: reloading filter Nov 29 22:55:36 kernel: Trying to mount root from ufs:/dev/da0s1a Nov 29 22:55:36 kernel: SMP: AP CPU #3 Launched! Nov 29 22:55:36 kernel: SMP: AP CPU #1 Launched! Nov 29 22:55:36 kernel: SMP: AP CPU #2 Launched! Nov 29 22:55:36 kernel: da0: 8192MB (16777216 512 byte sectors: 255H 63S/T 1044C) Nov 29 22:55:36 kernel: da0: Command Queueing enabled Nov 29 22:55:36 kernel: da0: 320.000MB/s transfers (160.000MHz, offset 127, 16bit) Nov 29 22:55:36 kernel: da0: <vmware virtual="" disk="" 1.0="">Fixed Direct Access SCSI-2 device Nov 29 22:55:36 kernel: da0 at mpt0 bus 0 scbus0 target 0 lun 0 Nov 29 22:55:36 kernel: acd0: DVDR <vmware virtual="" ide="" cdrom="" drive="" 00000001="">at ata1-master UDMA33 Nov 29 22:55:36 kernel: IPsec: Initialized Security Association Processing. Nov 29 22:55:36 kernel: Timecounters tick every 10.000 msec Nov 29 22:55:36 kernel: ppc0: cannot reserve I/O port range Nov 29 22:55:36 kernel: vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Nov 29 22:55:36 kernel: sc0: VGA <16 virtual consoles, flags=0x300> Nov 29 22:55:36 kernel: sc0: <system console="">at flags 0x100 on isa0 Nov 29 22:55:36 kernel: orm0: <isa option="" roms="">at iomem 0xc0000-0xc7fff,0xca000-0xcafff,0xcb000-0xcbfff,0xdc000-0xdffff,0xe0000-0xe3fff on isa0 Nov 29 22:55:36 kernel: psm0: model IntelliMouse, device ID 3 Nov 29 22:55:36 kernel: psm0: [ITHREAD] Nov 29 22:55:36 kernel: psm0: [GIANT-LOCKED] Nov 29 22:55:36 kernel: psm0: <ps 2="" mouse="">irq 12 on atkbdc0 Nov 29 22:55:36 kernel: atkbd0: [ITHREAD] Nov 29 22:55:36 kernel: atkbd0: [GIANT-LOCKED] Nov 29 22:55:36 kernel: kbd0 at atkbd0 Nov 29 22:55:36 kernel: atkbd0: <at keyboard="">irq 1 on atkbdc0 Nov 29 22:55:36 kernel: atkbdc0: <keyboard controller="" (i8042)="">port 0x60,0x64 irq 1 on acpi0 Nov 29 22:55:36 kernel: atrtc0: <at realtime="" clock="">port 0x70-0x71 irq 8 on acpi0 Nov 29 22:55:36 kernel: acpi_acad0: <ac adapter="">on acpi0 Nov 29 22:55:36 kernel: pci34: <acpi pci="" bus="">on pcib34 Nov 29 22:55:36 kernel: pcib34: <acpi pci-pci="" bridge="">at device 24.7 on pci0 Nov 29 22:55:36 kernel: pci33: <acpi pci="" bus="">on pcib33 Nov 29 22:55:36 kernel: pcib33: <acpi pci-pci="" bridge="">at device 24.6 on pci0 Nov 29 22:55:36 kernel: pci32: <acpi pci="" bus="">on pcib32 Nov 29 22:55:36 kernel: pcib32: <acpi pci-pci="" bridge="">at device 24.5 on pci0 Nov 29 22:55:36 kernel: pci31: <acpi pci="" bus="">on pcib31 Nov 29 22:55:36 kernel: pcib31: <acpi pci-pci="" bridge="">at device 24.4 on pci0 Nov 29 22:55:36 kernel: pci30: <acpi pci="" bus="">on pcib30 Nov 29 22:55:36 kernel: pcib30: <acpi pci-pci="" bridge="">at device 24.3 on pci0 Nov 29 22:55:36 kernel: pci29: <acpi pci="" bus="">on pcib29 Nov 29 22:55:36 kernel: pcib29: <acpi pci-pci="" bridge="">at device 24.2 on pci0 Nov 29 22:55:36 kernel: pci28: <acpi pci="" bus="">on pcib28 Nov 29 22:55:36 kernel: pcib28: <acpi pci-pci="" bridge="">at device 24.1 on pci0 Nov 29 22:55:36 kernel: pci27: <acpi pci="" bus="">on pcib27 Nov 29 22:55:36 kernel: pcib27: <acpi pci-pci="" bridge="">at device 24.0 on pci0 Nov 29 22:55:36 kernel: pci26: <acpi pci="" bus="">on pcib26 Nov 29 22:55:36 kernel: pcib26: <acpi pci-pci="" bridge="">at device 23.7 on pci0 Nov 29 22:55:36 kernel: pci25: <acpi pci="" bus="">on pcib25 Nov 29 22:55:36 kernel: pcib25: <acpi pci-pci="" bridge="">at device 23.6 on pci0 Nov 29 22:55:36 kernel: pci24: <acpi pci="" bus="">on pcib24 Nov 29 22:55:36 kernel: pcib24: <acpi pci-pci="" bridge="">at device 23.5 on pci0 Nov 29 22:55:36 kernel: pci23: <acpi pci="" bus="">on pcib23 Nov 29 22:55:36 kernel: pcib23: <acpi pci-pci="" bridge="">at device 23.4 on pci0 Nov 29 22:55:36 kernel: pci22: <acpi pci="" bus="">on pcib22 Nov 29 22:55:36 kernel: pcib22: <acpi pci-pci="" bridge="">at device 23.3 on pci0 Nov 29 22:55:36 kernel: pci21: <acpi pci="" bus="">on pcib21 Nov 29 22:55:36 kernel: pcib21: <acpi pci-pci="" bridge="">at device 23.2 on pci0 Nov 29 22:55:36 kernel: pci20: <acpi pci="" bus="">on pcib20 Nov 29 22:55:36 kernel: pcib20: <acpi pci-pci="" bridge="">at device 23.1 on pci0 Nov 29 22:55:36 kernel: pci19: <acpi pci="" bus="">on pcib19 Nov 29 22:55:36 kernel: pcib19: <acpi pci-pci="" bridge="">at device 23.0 on pci0 Nov 29 22:55:36 kernel: pci18: <acpi pci="" bus="">on pcib18 Nov 29 22:55:36 kernel: pcib18: <acpi pci-pci="" bridge="">at device 22.7 on pci0 Nov 29 22:55:36 kernel: pci17: <acpi pci="" bus="">on pcib17 Nov 29 22:55:36 kernel: pcib17: <acpi pci-pci="" bridge="">at device 22.6 on pci0 Nov 29 22:55:36 kernel: pci16: <acpi pci="" bus="">on pcib16 Nov 29 22:55:36 kernel: pcib16: <acpi pci-pci="" bridge="">at device 22.5 on pci0 Nov 29 22:55:36 kernel: pci15: <acpi pci="" bus="">on pcib15 Nov 29 22:55:36 kernel: pcib15: <acpi pci-pci="" bridge="">at device 22.4 on pci0 Nov 29 22:55:36 kernel: pci14: <acpi pci="" bus="">on pcib14 Nov 29 22:55:36 kernel: pcib14: <acpi pci-pci="" bridge="">at device 22.3 on pci0 Nov 29 22:55:36 kernel: pci13: <acpi pci="" bus="">on pcib13 Nov 29 22:55:36 kernel: pcib13: <acpi pci-pci="" bridge="">at device 22.2 on pci0 Nov 29 22:55:36 kernel: pci12: <acpi pci="" bus="">on pcib12 Nov 29 22:55:36 kernel: pcib12: <acpi pci-pci="" bridge="">at device 22.1 on pci0 Nov 29 22:55:36 kernel: pci11: <acpi pci="" bus="">on pcib11 Nov 29 22:55:36 kernel: pcib11: <acpi pci-pci="" bridge="">at device 22.0 on pci0 Nov 29 22:55:36 kernel: pci10: <acpi pci="" bus="">on pcib10 Nov 29 22:55:36 kernel: pcib10: <acpi pci-pci="" bridge="">at device 21.7 on pci0 Nov 29 22:55:36 kernel: pci9: <acpi pci="" bus="">on pcib9 Nov 29 22:55:36 kernel: pcib9: <acpi pci-pci="" bridge="">at device 21.6 on pci0 Nov 29 22:55:36 kernel: pci8: <acpi pci="" bus="">on pcib8 Nov 29 22:55:36 kernel: pcib8: <acpi pci-pci="" bridge="">at device 21.5 on pci0 Nov 29 22:55:36 kernel: pci7: <acpi pci="" bus="">on pcib7 Nov 29 22:55:36 kernel: pcib7: <acpi pci-pci="" bridge="">at device 21.4 on pci0 Nov 29 22:55:36 kernel: pci6: <acpi pci="" bus="">on pcib6 Nov 29 22:55:36 kernel: pcib6: <acpi pci-pci="" bridge="">at device 21.3 on pci0 Nov 29 22:55:36 kernel: pci5: <acpi pci="" bus="">on pcib5 Nov 29 22:55:36 kernel: pcib5: <acpi pci-pci="" bridge="">at device 21.2 on pci0 Nov 29 22:55:36 kernel: pci4: <acpi pci="" bus="">on pcib4 Nov 29 22:55:36 kernel: pcib4: <acpi pci-pci="" bridge="">at device 21.1 on pci0 Nov 29 22:55:36 kernel: pci3: <acpi pci="" bus="">on pcib3 Nov 29 22:55:36 kernel: pcib3: <acpi pci-pci="" bridge="">at device 21.0 on pci0 Nov 29 22:55:36 kernel: em1: [FILTER] Nov 29 22:55:36 kernel: em1: Memory Access and/or Bus Master bits were not set! Nov 29 22:55:36 kernel: em1: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.3="">port 0x2040-0x207f mem 0xd8940000-0xd895ffff,0xd8910000-0xd891ffff irq 19 at device 1.0 on pci2 Nov 29 22:55:36 kernel: em0: [FILTER] Nov 29 22:55:36 kernel: em0: Memory Access and/or Bus Master bits were not set! Nov 29 22:55:36 kernel: em0: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.3="">port 0x2000-0x203f mem 0xd8920000-0xd893ffff,0xd8900000-0xd890ffff irq 18 at device 0.0 on pci2 Nov 29 22:55:36 kernel: pci2: <acpi pci="" bus="">on pcib2 Nov 29 22:55:36 kernel: pcib2: <acpi pci-pci="" bridge="">at device 17.0 on pci0 Nov 29 22:55:36 kernel: mpt0: MPI Version=1.2.0.0 Nov 29 22:55:36 kernel: mpt0: [ITHREAD] Nov 29 22:55:36 kernel: mpt0: <lsilogic 1030="" ultra4="" adapter="">port 0x1400-0x14ff mem 0xd8820000-0xd883ffff,0xd8800000-0xd881ffff irq 17 at device 16.0 on pci0 Nov 29 22:55:36 kernel: vgapci0: <vga-compatible display="">port 0x10d0-0x10df mem 0xd4000000-0xd7ffffff,0xd8000000-0xd87fffff irq 16 at device 15.0 on pci0 Nov 29 22:55:36 kernel: pci0: <base peripheral=""> at device 7.7 (no driver attached) Nov 29 22:55:36 kernel: pci0: <bridge>at device 7.3 (no driver attached) Nov 29 22:55:36 kernel: ata1: [ITHREAD] Nov 29 22:55:36 kernel: ata1: <ata 1="" channel="">on atapci0 Nov 29 22:55:36 kernel: ata0: [ITHREAD] Nov 29 22:55:36 kernel: ata0: <ata 0="" channel="">on atapci0 Nov 29 22:55:36 kernel: atapci0: <intel piix4="" udma33="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x10c0-0x10cf at device 7.1 on pci0 Nov 29 22:55:36 kernel: isa0: <isa bus="">on isab0 Nov 29 22:55:36 kernel: isab0: <pci-isa bridge="">at device 7.0 on pci0 Nov 29 22:55:36 kernel: pci1: <acpi pci="" bus="">on pcib1 Nov 29 22:55:36 kernel: pcib1: <acpi pci-pci="" bridge="">at device 1.0 on pci0 Nov 29 22:55:36 kernel: pci0: <acpi pci="" bus="">on pcib0 Nov 29 22:55:36 kernel: pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0 Nov 29 22:55:36 kernel: cpu3: <acpi cpu="">on acpi0 Nov 29 22:55:36 kernel: cpu2: <acpi cpu="">on acpi0 Nov 29 22:55:36 kernel: cpu1: <acpi cpu="">on acpi0 Nov 29 22:55:36 kernel: cpu0: <acpi cpu="">on acpi0 Nov 29 22:55:36 kernel: acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0 Nov 29 22:55:36 kernel: Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 Nov 29 22:55:36 kernel: acpi0: Power Button (fixed) Nov 29 22:55:36 kernel: acpi0: [ITHREAD] Nov 29 22:55:36 kernel: acpi0: <intel 440bx="">on motherboard Nov 29 22:55:36 kernel: padlock0: No ACE support. Nov 29 22:55:36 kernel: cryptosoft0: <software crypto="">on motherboard Nov 29 22:55:36 kernel: kbd1 at kbdmux0 Nov 29 22:55:36 kernel: wlan: mac acl policy registered Nov 29 22:55:36 kernel: ioapic0 <version 1.1="">irqs 0-23 on motherboard Nov 29 22:55:36 kernel: MADT: Forcing active-low polarity and level trigger for SCI Nov 29 22:55:36 kernel: cpu3 (AP): APIC ID: 3 Nov 29 22:55:36 kernel: cpu2 (AP): APIC ID: 2 Nov 29 22:55:36 kernel: cpu1 (AP): APIC ID: 1 Nov 29 22:55:36 kernel: cpu0 (BSP): APIC ID: 0 Nov 29 22:55:36 kernel: FreeBSD/SMP: 4 package(s) x 1 core(s) Nov 29 22:55:36 kernel: FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs Nov 29 22:55:36 kernel: ACPI APIC Table: <ptltd apic="">Nov 29 22:55:36 kernel: avail memory = 1014796288 (967 MB) Nov 29 22:55:36 kernel: real memory = 1073741824 (1024 MB) Nov 29 22:55:36 kernel: TSC: P-state invariant Nov 29 22:55:36 kernel: AMD Features2=0x1 <lahf>Nov 29 22:55:36 kernel: AMD Features=0x20100800 <syscall,nx,lm>Nov 29 22:55:36 kernel: Features2=0x80082201<sse3,ssse3,cx16,sse4.1,<b31>> Nov 29 22:55:36 kernel: Features=0xfebfbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss>Nov 29 22:55:36 kernel: Origin = "GenuineIntel" Id = 0x1067a Family = 6 Model = 17 Stepping = 10 Nov 29 22:55:36 kernel: CPU: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz (2665.84-MHz K8-class CPU) Nov 29 22:55:36 kernel: Timecounter "i8254" frequency 1193182 Hz quality 0 Nov 29 22:55:36 kernel: sullrich@FreeBSD_8.0_pfSense_2.0-AMD64.snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64 Nov 29 22:55:36 kernel: FreeBSD 8.1-RELEASE-p1 #1: Mon Nov 29 23:14:41 UTC 2010 Nov 29 22:55:36 kernel: FreeBSD is a registered trademark of The FreeBSD Foundation. Nov 29 22:55:36 kernel: The Regents of the University of California. All rights reserved. Nov 29 22:55:36 kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Nov 29 22:55:36 kernel: Copyright (c) 1992-2010 The FreeBSD Project.</fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss></sse3,ssse3,cx16,sse4.1,<b31></syscall,nx,lm></lahf></ptltd></version></software></intel></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></pci-isa></isa></intel></ata></ata></bridge></vga-compatible></lsilogic></acpi></acpi></intel(r)></intel(r)></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></acpi></ac></at></keyboard></at></ps></isa></system></generic></vmware></vmware> -
Running latest version - updated about 20 mins ago
Dec 1 08:00:22 php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was 'pfctl: DIOCADDRULE: Device busy'
Dec 1 08:00:17 inetd[23098]: /var/etc/inetd.conf: No such file or directory
Dec 1 08:00:17 inetd[23098]: /var/etc/inetd.conf: No such file or directory
Dec 1 08:00:16 check_reload_status: reloading filter
Dec 1 08:00:16 check_reload_status: syncing firewall
Dec 1 08:00:16 check_reload_status: reloading filter
Dec 1 08:00:15 php: /pkg_edit.php: Reloading Squid for configuration syncStill here - but everything seems to be running OK?
Regards
Andrew
-
Are these errors still there if you upgrade to one of the latest snapshots?
-
Hi Ermal,
Unfortunately the error is still present on snapshot Sat Dec 4 01:44:52 EST 2010 (i386) and pops up directly after boot.
Sorry :(
-
When the snapshot that is currently building is done, try that one. There's something in there that might fix this.
-
2.0-BETA4 (i386)
built on Sun Dec 5 07:23:23 EST 2010
Platform nanobsd (1g)
uptime 00:06So far so good :)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.