From owner-freebsd-pf@FreeBSD.ORG Fri Aug 18 18:26:28 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F203916A4E1 for ; Fri, 18 Aug 2006 18:26:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C99243D70 for ; Fri, 18 Aug 2006 18:26:22 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.182.202] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1GE92z3I4Y-0004Wv; Fri, 18 Aug 2006 20:26:22 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Fri, 18 Aug 2006 20:26:09 +0200 User-Agent: KMail/1.9.3 References: <44E5E816.1030304@2012.vi> In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5645583.fD7C6EE6X4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608182026.19006.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Syntax Error X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 18:26:28 -0000 --nextPart5645583.fD7C6EE6X4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 18 August 2006 19:03, Jeremy C. Reed wrote: > > For some reason the parser likes this syntax in certain places but > > not in others: > > > > 1. # SETTING THE STAGE > > 2. # macros > > 3. ext_if=3D"vr0" > > 4. int_if=3D"lo0" > > 5. http_ports=3D"80 8080 7080" > > 6. ssh_ports=3D"22" > > 7. ftp_ports=3D"21 8021 7021" > > 8. smtp_ports=3D"25" > > 9. pop3_ports=3D"110" > > 10. https_ports=3D"443" > > 11. imap_ssl_ports=3D"993 143" > > 12. squid_ports=3D"3128" > > 13. mysql_ports=3D"3306" > > 14. email_ports=3D"{" $smtp_ports $pop3_ports "}" > > 15. all_http_ports=3D"{" $http_ports $https_ports "}" > > 16. tcp_ports=3D "{" $ssh_ports $ftp_ports $all_http_ports > > $imap_ssl_ports "}" > > I don't think you can put a list inside of another list. > > > 17. int_ports=3D"{" $squid_ports $mysql_ports "}" > > 18. tcp_services=3D"ssh, ftp, http" > > 20. web_server=3D"202.71.106.119" > > 21. NoRouteIPs =3D "127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 > > 10.0.0.0/8" 22. shinjiru_ip_addresses=3D"202.71.102.114 202.71.100.126 > > 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" > > 23. directv_ip_addresses=3D"69.19.0.0/17" > > 24. shadday_ip_addresses=3D"70.19.0.0/17" > > 25. ssh_ip_addresses=3D"{" $shinjiru_ip_addresses $directv_ip_addresses > > $shadday_ip_addresses "}" > > I don't know why the list doesn't allow the macro with the /netmask. If > the macros don't have a /netmask the list works (but not what you > want). That's a well-known problem in the pfctl-parser. Patches have been=20 proposed but never made it to the tree - afaik. Look in the archives of=20 this and the original ML for reasons and detailed discussion. > > server167# pfctl -f /etc/pf.conf && sleep 60 && pfctl -f > > /etc/pf.conf_BAK /etc/pf.conf:16: syntax error > > /etc/pf.conf:24: syntax error > > pfctl: Syntax error in config file: pf rules not loaded > > > > It appears to not like my using "$all_http_ports" in line 16 and one > > of the three in the last line (which the machine chooses to call 24 > > but it is actually referring to 25). Why? > > Because you are missing line #19 above so it is off by one. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart5645583.fD7C6EE6X4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE5gZKXyyEoT62BG0RAhj/AJ9cAR1SlSGJzujrOwDLudvzWemxpQCfVqoj +Ako9WiAkJY+G45XoqtrFeQ= =ZXX8 -----END PGP SIGNATURE----- --nextPart5645583.fD7C6EE6X4--