Michal Mertl wrote:
beno wrote:
Michal Mertl wrote:
Note that no quoting is necessary here and the parser doesn't care much
about whitespace. If you run pfctl with "-v" you shall see the macro
expansion which should help in understanding the parser and finding out
errors.
That does help! Thanks! Now, throwing that flag with the others (-f and
-n) I now get the following errors:
set fingerprints /etc/pf.os
pfctl: /etc/pf.os : No such file or directory
I expect you removed all " characters from the file? Apparently in some
places they matter (e.g. set fingerprints). Maybe the explanation is
that it doesn't require quoting of numbers (including single IP address)
but does require quoting of texts.
This is interesting! No...here's the line I had written:
set fingerprints " /etc/pf.os "
and *that* doesn't work! Why? The s_p_a_c_e_s!!! (So much for the parser not
being particular about spacing, either.) This works:
set fingerprints "/etc/pf.os"
Go figure! I guess the parser is v_e_r_y particular ;)
/etc/pf.conf:24: syntax error
Here's that line, which the parser doesn't parse, preceded by other
lines in question:
shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30
202.71.106.118 202.71.106.188 203.142.1.8"
directv_ip_addresses="{ 69.19.0.0/17 }"
shadday_ip_addresses=""
ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses
$shadday_ip_addresses
Now, we've been here before, and I was instructed to write the
directv_ip_address line just so, but now the parser is throwing another
error based on that very variable yet again! (I have singled it out
through experimentation.) What doesn't it like this time?
Does shinjiru_ip_addresses macro definition span multiple lines? If so,
you need to fix it by typing \ at the end of the line which continues on
another.
No...it's all in one line. Also this works (changing only the line below):
ssh_ip_addresses= $shinjiru_ip_addresses $shadday_ip_addresses
So, the problem is *only* the variable $directv_ip_addresses, which I
excluded in this example. Again, this matter was supposedly put to rest
in an earlier communication with the list, but it has resurrected itself :(
/etc/pf.conf:68: syntax error
pass in quick proto tcp from any to any port = ssh flags S/SA keep state
(source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload
<bruteforce> flush global, if-bound, src.track 3)
when the actual lines I wrote are these:
Does the rule span multiple lines again?
Yes, written as follows:
pass in quick inet proto tcp from any to $web_server port $tcp_ports
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
Even when I make it all one line, like this:
pass in quick inet proto tcp from any to $web_server port $tcp_ports
flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5,
overload <bruteforce> flush global)
it throws a "syntax error" (no further details this time..?)
Here are my questions concerning this much:
* Why does the parser render "from any to $web_server" as "from any to
any"? That's not what I specified!
I don't know what you have specified and what was the result.
I specified this:
pass in quick inet proto tcp from any to $web_server port $tcp_ports
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
and this previously:
web_server="202.71.106.119"
http_ports="80 8080 7080"
ssh_ports="22"
ftp_ports="21 8021 7021"
https_ports="443"
imap_ssl_ports="993 143"
all_http_ports= $http_ports $https_ports
tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports
so I would have expected it to render this:
...from any to 202.71.106.119 port 80 8080 7080 22 21 8021 7021 443 993
143 flags S/SA...
[see below before commenting]
* Why does the parser render "port $tcp_ports" as "port = ssh"? That's
not what I specified, either!
You probably forgot to surround the macro invocation with {} (wrote
"port $macro_with_multiple_ports" instead of "port
{ $macro_with_multiple_ports }" (without quotes).
Now, *that* worked! That yielded the result I was expecting, as noted above!
* Why does the parser automatically reduce my variables max-src-conn and
max-src-conn-rate (okay because the proportion is the same?)
Probably not. It works for me.
And me now, with the curly braces.
So, the only problem left, thus far, is the one above concerning the macro
$directv_ip_addresses
Everything else in my initial pf.conf works FINE now!
TIA,
beno
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
