tried that and myriad other configurations, including one liners as I want to
understand the parser from a user perspective.
this doesn’t work:
pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
these work:
pass out on $DMZ_if inet proto icmp from 192.168.2.1
pass out on $DMZ_if inet proto icmp icmp-type echoreq
The system is amd64, 5.7 release on an Intel Bay Trail Celeron*. Maybe this is
somehow breaking the parser?
I'm following The Book of PF and there is a similar example:
pass inet proto icmp icmp-type $icmp_types from $localnet
pass inet6 proto icmp6 icmp6-type $icmp6_types from $localnet
pass inet proto icmp icmp-type $icmp_types to $ext_if
pass inet6 proto icmp6 icmp6-type $icmp6_types to $ext_if
Excerpt From: Peter N.M. Hansteen. “The Book of PF: A No-Nonsense Guide to the
OpenBSD Firewall.”
Curiously the PF guide on openbsd.org doesn’t include src/dst ip addresses. I’m
assuming that I’m the only one having this problem and there’s something stupid
I’m not seeing…
Note: I break on action, interface, source, destination, options as I’m a bit
careless and easily miss something otherwise… My rulesets aren’t that big
anyways. When that happens I’ll resort to includes.
The general, *highly simplified* syntax for filter rules is:
action [direction] [log] [quick] \
[on interface] [af] [proto protocol] \
[from src_addr [port src_port]] \
[to dst_addr [port dst_port]] \
[flags tcp_flags] [state]
action [direction] [log] [quick] \
[on interface] [af] [proto protocol] \
[from src_addr [port src_port]] \
[to dst_addr [port dst_port]] \
[flags tcp_flags] [state]
Suggestion: can we have a wiki where we can post user examples of configuration
snippets of the various system services and discuss them? or maybe an official
list of recommended sources online? I get to understand languages better
through idiomatic use than through rules unfortunately.
* head of dmesg:
OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar 8 11:04:17 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8463536128 (8071MB)
avail mem = 8234319872 (7852MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebde0 (51 entries)
bios0: vendor American Megatrends Inc. version "F1" date 08/01/2014
bios0: Gigabyte Technology Co., Ltd. J1900M-D2P
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices UAR5(S4) UAR8(S4) PS2K(S3) PS2M(S3) XHC1(S4) EHC1(S4)
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC
cpu0: 1MB 64b/line 16-way L2 cache
> On 03 Sep 2015, at 23:05, ropers <rop...@gmail.com> wrote:
>
> Amateurish guess here:
> Could it be that this hinges upon whether proto icmp is divided over two
> lines or not?
>
> On 3 September 2015 at 11:58, Joseph A Borg <jacb...@mac.com> wrote:
> am I being daft on this one?
>
> pfctl passes a syntax check on a rule such as
> this:
>
> pass out on $DMZ_if
> \
> inet proto icmp
> \
> from
> 192.168.99.68
>
> but not this:
> pass out on $DMZ_if
> \
> inet proto
> icmp icmp-type unreach \
> from 192.168.99.68
>
> this is ok:
> pass out on
> $DMZ_if \
> inet proto icmp icmp-type $icmp-type_list
>
> I'm resorting
> to having separate pass rules for localnet_if in and dmz_if out
>
> is this ok?
> am I missing something?
>
> regards
