From owner-freebsd-pf@FreeBSD.ORG Fri Dec 9 22:06:09 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C1EA16A41F for ; Fri, 9 Dec 2005 22:06:09 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7F8A43D5A for ; Fri, 9 Dec 2005 22:06:08 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jB9M68jQ034972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 9 Dec 2005 17:06:08 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <439A0048.3030106@forrie.com> Date: Fri, 09 Dec 2005 17:08:08 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051208) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1206/Thu Dec 8 14:56:45 2005 on mail.forrie.com X-Virus-Status: Clean Subject: Syntax errors in pf.conf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2005 22:06:09 -0000 Hi there, First, does there exist a tidy-like syntax checker for the pf.conf file. That would be handy. I'm writing a new pf.conf, based on Policy Filtering, and running into some problems. What I'm trying to do is: rdr on $ext_if proto tcp from !, !, ! any \ port { $tcp_services } tag INET_DMZ -> $server rdr on $ext_if proto tcp from ! any \ port 80 tag INET_DMZ -> $server rdr on $ext_if proto tcp from ! any \ port 443 tag INET_DMZ -> $server And pfctl complains that there is a syntax error on all of these. I'm trying to set this up, so that IP classes in the named tables are negated and not allowed through, taking the rest and handling accordingly. It's not clear to me I can even use negation here, but in this scenario it has to be used, otherwise the packets get through. Or, if not, there must be a more elegant way to accomplish it. I'm certain this is possible, however I've not found many good examples to consult (including the PF Handbook, which does not address negation in these rules). Thanks.