I am setting up new firewall running OpenBSD 3.7. I am trying to implement rules using tagging. I ran into trouble with the following line:
nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if) I get the following error: /etc/pf.conf:16: syntax error I am starting with a sample rule set on the OpenBSD website. The problem line is taken verbatim from the OpenBSD PF documentation: http://www.openbsd.org/faq/pf/tagging.html#policy All I have changed are the macros to reflect my network/hardware. What am I missing here? Any comments welcome. full ruleset: # macros int_if = "---" dmz_if = "---" ext_if = "---" int_net = "---.---.---.---/24" dmz_net = "---.---.---.---/24" www_server = "---.---.---.---" mail_server = "---.---.---.---" table <spamd> persist file "/etc/spammers" # classification -- classify packets based on the defined firewall # policy. rdr on $ext_if proto tcp from <spamd> to port smtp \ tag SPAMD -> 127.0.0.1 port 8025 nat on $ext_if tagged LAN_INET tag LAN_INET_NAT -> ($ext_if) block all pass in on $int_if from $int_net tag LAN_INET keep state pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ keep state pass in on $ext_if proto tcp to $mail_server port { smtp, pop3 } \ tag INET_DMZ keep state # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on $ext_if tagged SPAMD keep state pass out quick on $ext_if tagged LAN_INET_NAT keep state pass out quick on $dmz_if tagged LAN_DMZ keep state pass out quick on $dmz_if tagged INET_DMZ keep state
