On Fri, Apr 10, 2009 at 12:30 PM, Dirk Mast <condo...@gmail.com> wrote:
> When you follow -current, it's a good thing to read
>
> http://openbsd.org/faq/current.html
>
> or the CVS logs.
>
> http://marc.info/?l=openbsd-misc&m=123919875714273&w=2
ah yes . . . I didn't see changes on the pf faq and jumped the gun. Thanks!
>
>
>
>
> Neal Hogan wrote:
>
>> As of recent updates to -current, the latest of which was today
>> (04/10/09), my pf rules are not loading due to a "syntax error" in my
>> scrub line. I have not touched my pf.conf in a while, so the
>> difference must be from recent source. I don't remember exactly when
>> this started to happen, but it's been within the last week.
>>
>> The original line that was causing the problem was: scrub in all
>> no-df random-id fragment reassemble
>>
>> But *scrub in* also initiates a syntax error.
>>
>> I'm not sure if you need more info., but I've pasted my pf.conf and dmesg
>> below.
>>
>> 10 eth_monty="em0"
>> 11 wifi_monty="ath0"
>> 12
>> 13 icmp_types="{echoreq unreach}"
>> 14
>> 15 lambda="192.168.2.1"
>> 16 frege="192.168.2.33"
>> 17 aristotle="192.168.2.32"
>> 18
>> 19
>> #########################################################################
>> 20 ########################## tables
>> #################################### 21
>> #########################################################################
>> 22 23 table <bad_ssh> persist file "/var/log/bad_ssh.pf"
>> 24 table <bad_www> persist file "/var/log/bad_www.pf"
>> 25 table <bad_wifi> persist file "/var/log/bad_wifi.pf"
>> 26
>> 27
>> #########################################################################
>> 28 ########################### runtime options
>> ############################# 29
>> #########################################################################
>> 30 31 set block-policy drop 32 set optimization normal
>> 33 set ruleset-optimization basic
>> 34 #set loginterface $ext_if # log all on ext_if
>> 35 set state-policy floating
>> 36 set skip on { lo }
>> 37
>> 38 ## traffic normalization
>> 39 scrub in all no-df random-id fragment reassemble
>> 40
>> 41 ######################################
>> 42 # Options: *no-df* clears the *don't fragment* bit that
>> 43 # some packets have attached to them. Without
>> 44 # this option those packets will be dropped.
>> 45 # *random-id* works with the above option to
>> 46 # assign *no-df pakcets* with a random id.
>> 47 # *fragment reassemble* assembles packet fragments
>> 48 # before being filtered.
>> 49 #######################################
>> 50
>> 51
>> #########################################################################
>> 52 ############################ NAT rules
>> ################################## 53
>> #########################################################################
>> 54 55 nat pass on $eth_monty from !($eth_monty) to any -> ($eth_monty) 56
>> nat pass on $wifi_monty from !($wifi_monty) to any -> ($wifi_monty) 57
>> 58
>> #########################################################################
>> 59 ############################ filter rules
>> ############################### 60
>> #########################################################################
>> 61 block in all # default block all
>> 62 pass out all keep state # allow all stuff out
>> 63
>> 64 antispoof log quick for {lo $wifi_monty $eth_monty} # get rid of bad
>> stuff 65
>> 66 ## Block bad guys
>> 67 block in log quick from <bad_ssh>
>> 68 block in log quick from <bad_www>
>> 69 block in log quick from <bad_wifi>
>> 70
>> 71 ## Monty's ethernet
>> 72 pass in on $eth_monty inet proto tcp from any to ($eth_monty) \
>> 73 port ssh synproxy state \
>> 74 (max-src-conn-rate 3/20, overload <bad_ssh> flush global)
>> 75
>> 76 pass in on $eth_monty inet proto tcp from any to ($eth_monty) \
>> 77 port {http, https} synproxy state \
>> 78 (max-src-conn 100, max-src-conn-rate 15/5, overload <bad_www> flush
>> global) 79
>> 80 pass in on $eth_monty inet proto icmp from any to ($eth_monty) \
>> 81 icmp-type $icmp_types keep state
>> 82
>> 83 pass in on $eth_monty inet proto tcp from {$frege, $aristotle,
>> $lambda} \
>> 84 to ($eth_monty) \
>> 85 port {ssh, 79} synproxy state
>>
>>
>>
>>
>> 200 OpenBSD 4.5-current (GENERIC.MP) #2: Fri Apr 10 08:07:58 CDT 2009
>> 201
>> n...@montague.lambdaserver.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> 202 real mem = 2070614016 (1974MB) 203 avail mem = 1998381056 (1905MB)
>> 204 mainbus0 at root
>> 205 bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (74 entries)
>> 206 bios0: vendor LENOVO version "7UET43WW (1.13 )" date 08/19/2008
>> 207 bios0: LENOVO 7417CTO
>> 208 acpi0 at bios0: rev 2
>> 209 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF!
>> SSDT TCPA SSDT SSDT SSDT
>> 210 acpi0: wakeup devices LID_(S3) SLPB(S3) UART(S3) IGBE(S4) EXP0(S4)
>> EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4) USB0(S 3) USB1(S3)
>> USB2(S3) USB3(S3) USB4(S3) USB5(S3) EHC0(S3) EHC1(S3) HDEF(S4)
>> 211 acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> 212 acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
>> 213 cpu0 at mainbus0: apid 0 (boot processor)
>> 214 cpu0: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz, 2394.35 MHz
>> 215 cpu0:
>>
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,
>> TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR,NXE,LONG
>> 216 cpu0: 3MB 64b/line 8-way L2 cache
>> 217 cpu0: apic clock running at 265MHz
>> 218 cpu1 at mainbus0: apid 1 (application processor)
>> 219 cpu1: Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz, 2394.00 MHz
>> 220 cpu1:
>>
>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,
>> TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR,NXE,LONG
>> 221 cpu1: 3MB 64b/line 8-way L2 cache
>> 222 ioapic0 at mainbus0 apid 1 pa 0xfec00000, version 20, 24 pins
>> 223 ioapic0: misconfigured as apic 2, remapped to apid 1
>> 224 acpihpet0 at acpi0: 14318179 Hz
>> 225 acpiprt0 at acpi0: bus 0 (PCI0)
>> 226 acpiprt1 at acpi0: bus -1 (AGP_)
>> 227 acpiprt2 at acpi0: bus 2 (EXP0)
>> 228 acpiprt3 at acpi0: bus 3 (EXP1)
>> 229 acpiprt4 at acpi0: bus -1 (EXP2)
>> 230 acpiprt5 at acpi0: bus 5 (EXP3)
>> 231 acpiprt6 at acpi0: bus 13 (EXP4)
>> 232 acpiprt7 at acpi0: bus 21 (PCI1)
>> 233 acpiec0 at acpi0
>> 234 acpicpu0 at acpi0: C3, C2
>> 235 acpicpu1 at acpi0: C3, C2
>> 236 acpitz0 at acpi0: critical temperature 127 degC
>> 237 acpitz1 at acpi0: critical temperature 100 degC
>> 238 acpibtn0 at acpi0: LID_
>> 239 acpibtn1 at acpi0: SLPB
>> 240 acpibat0 at acpi0: BAT0 model "42T5225" serial 3388 type LION oem
>> "Panasonic"
>> 241 acpibat1 at acpi0: BAT1 not present
>> 242 acpiac0 at acpi0: AC unit online
>> 243 acpithinkpad0 at acpi0
>> 244 acpidock at acpi0 not configured
>> 245 acpivideo at acpi0 not configured
>> 246 acpivideo at acpi0 not configured
>> 247 cpu0: unknown Enhanced SpeedStep CPU, msr 0x0617092106000921
>> 248 cpu0: using only highest and lowest power states
>> 249 cpu0: Enhanced SpeedStep 2400 MHz (1228 mV): speeds: 2400, 1600 MHz
>> 250 pci0 at mainbus0 bus 0: configuration mode 1
>> 251 pchb0 at pci0 dev 0 function 0 "Intel GM45 Host" rev 0x07
>> 252 vga1 at pci0 dev 2 function 0 "Intel GM45 Video" rev 0x07
>> 253 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
>> 254 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
>> 255 intagp0 at vga1
>> 256 agp0 at intagp0: aperture at 0xd0000000, size 0x10000000
>> 257 inteldrm0 at vga1: apic 1 int 16 (irq 11)
>> 258 drm0 at inteldrm0
>> 259 "Intel GM45 Video" rev 0x07 at pci0 dev 2 function 1 not configured
>> 260 "Intel GM45 HECI" rev 0x07 at pci0 dev 3 function 0 not configured
>> 261 em0 at pci0 dev 25 function 0 "Intel ICH9 IGP M AMT" rev 0x03:
>> apic 1 int 20 (irq 11), address 00:1e:37:d9:cc:ed
>> 262 uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x03: apic
>> 1 int 20 (irq 11)
>> 263 uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x03: apic
>> 1 int 21 (irq 11)
>> 264 uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x03: apic
>> 1 int 22 (irq 11)
>> 265 ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x03: apic
>> 1 int 23 (irq 11)
>> 266 usb0 at ehci0: USB revision 2.0
>> 267 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
>> 268 azalia0 at pci0 dev 27 function 0 "Intel 82801I HD Audio" rev
>> 0x03: apic 1 int 17 (irq 11)
>> 269 azalia0: codecs: Conexant CX20561
>> 270 audio0 at azalia0
>> 271 ppb0 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x03: apic
>> 1 int 20 (irq 11)
>> 272 pci1 at ppb0 bus 2
>> 273 ppb1 at pci0 dev 28 function 1 "Intel 82801I PCIE" rev 0x03: apic
>> 1 int 21 (irq 11)
>> 274 pci2 at ppb1 bus 3
>> 275 ath0 at pci2 dev 0 function 0 "Atheros AR5424" rev 0x01: apic 1
>> int 17 (irq 11)
>> 276 ath0: AR5424 14.2 phy 7.0 rf 0.0, WOR02W, address 00:22:69:86:96:77
>> 277 ppb2 at pci0 dev 28 function 3 "Intel 82801I PCIE" rev 0x03: apic
>> 1 int 23 (irq 11)
>> 278 pci3 at ppb2 bus 5
>> 279 ppb3 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x03: apic
>> 1 int 20 (irq 11)
>> 280 pci4 at ppb3 bus 13
>> 281 uhci3 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x03: apic
>> 1 int 16 (irq 11)
>> 282 uhci4 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x03: apic
>> 1 int 17 (irq 11)
>> 283 uhci5 at pci0 dev 29 function 2 "Intel 82801I USB" rev 0x03: apic
>> 1 int 18 (irq 11)
>> 284 ehci1 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x03: apic
>> 1 int 19 (irq 11)
>> 285 usb1 at ehci1: USB revision 2.0
>> 286 uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
>> 287 ppb4 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x93
>> 288 pci5 at ppb4 bus 21
>> 289 cbb0 at pci5 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0xba: apic
>> 1 int 16 (irq 11)
>> 290 "Ricoh 5C832 Firewire" rev 0x04 at pci5 dev 0 function 1 not
>> configured 291 cardslot0 at cbb0 slot 0 flags 0
>> 292 cardbus0 at cardslot0: bus 22 device 0 cacheline 0x0, lattimer 0xb0
>> 293 pcmcia0 at cardslot0
>> 294 pcib0 at pci0 dev 31 function 0 "Intel 82801IEM LPC" rev 0x03
>> 295 ahci0 at pci0 dev 31 function 2 "Intel 82801I AHCI" rev 0x03: apic
>> 1 int 16 (irq 11), AHCI 1.2
>> 296 scsibus0 at ahci0: 32 targets
>> 297 sd0 at scsibus0 targ 0 lun 0: <ATA, HITACHI HTS72201, DCDZ> SCSI3
>> 0/direct fixed
>> 298 sd0: 152627MB, 512 bytes/sec, 312581808 sec total
>> 299 cd0 at scsibus0 targ 1 lun 0: <HL-DT-ST, RW/DVD MU10N, 1.05> ATAPI
>> 5/cdrom removable
>> 300 ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x03:
>> apic 1 int 23 (irq 11)
>> 301 iic0 at ichiic0
>> 302 usb2 at uhci0: USB revision 1.0
>> 303 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> 304 usb3 at uhci1: USB revision 1.0
>> 305 uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> 306 usb4 at uhci2: USB revision 1.0
>> 307 uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> 308 usb5 at uhci3: USB revision 1.0
>> 309 uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> 310 usb6 at uhci4: USB revision 1.0
>> 311 uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> 312 usb7 at uhci5: USB revision 1.0
>> 313 uhub7 at usb7 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> 314 isa0 at pcib0
>> 315 isadma0 at isa0
>> 316 pckbc0 at isa0 port 0x60/5
>> 317 pckbd0 at pckbc0 (kbd slot)
>> 318 pckbc0: using irq 1 for kbd slot
>> 319 wskbd0 at pckbd0: console keyboard, using wsdisplay0
>> 320 pms0 at pckbc0 (aux slot)
>> 321 pckbc0: using irq 12 for aux slot
>> 322 wsmouse0 at pms0 mux 0
>> 323 pcppi0 at isa0 port 0x61
>> 324 midi0 at pcppi0: <PC speaker>
>> 325 spkr0 at pcppi0
>> 326 aps0 at isa0 port 0x1600/31
>> 327 mtrr: Pentium Pro MTRR support
>> 328 softraid0 at root
>> 329 root on sd0a swap on sd0b dump on sd0b
>
>
--
www.nealhogan.net www.lambdaserver.com
