From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 14:07:05 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61B4B16A506 for ; Wed, 23 Aug 2006 14:07:05 +0000 (UTC) (envelope-from zope@2012.vi) Received: from mail.dunhill.ws (network191-36.wctc.net [209.94.191.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7348243D45 for ; Wed, 23 Aug 2006 14:07:02 +0000 (GMT) (envelope-from zope@2012.vi) Received: from [10.0.0.172] (128puntacana97.codetel.net.do [200.88.97.128]) by mail.dunhill.ws (Weasel v1.73) for ; 23 Aug 2006 10:06:58 -0400 Message-ID: <44EC60F9.2080102@2012.vi> Date: Wed, 23 Aug 2006 10:06:49 -0400 From: beno User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> In-Reply-To: <1156318917.1543.11.camel@genius.i.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 14:07:05 -0000 Michal Mertl wrote: > Note that no quoting is necessary here and the parser doesn't care much > about whitespace. If you run pfctl with "-v" you shall see the macro > expansion which should help in understanding the parser and finding out > errors. > That does help! Thanks! Now, throwing that flag with the others (-f and -n) I now get the following errors: set fingerprints /etc/pf.os pfctl: /etc/pf.os : No such file or directory In fact, there *is* such a file, and it's the default! I haven't edited it, changed perms, etc. Now, if I recall correctly, I don't need to actually cite that file, since the parser will include it automatically; however, there is certainly nothing wrong with doing so, therefore it should not throw an error! Wazzup? server167# ls -al /etc/|grep pf.os -rw-r--r-- 1 root wheel 26591 Aug 17 18:32 pf.os (I'm in as root.) /etc/pf.conf:24: syntax error Here's that line, which the parser doesn't parse, preceded by other lines in question: shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 202.71.106.118 202.71.106.188 203.142.1.8" directv_ip_addresses="{ 69.19.0.0/17 }" shadday_ip_addresses="" ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses $shadday_ip_addresses Now, we've been here before, and I was instructed to write the directv_ip_address line just so, but now the parser is throwing another error based on that very variable yet again! (I have singled it out through experimentation.) What doesn't it like this time? /etc/pf.conf:68: syntax error pass in quick proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload flush global, if-bound, src.track 3) when the actual lines I wrote are these: web_server="202.71.106.119" http_ports="80 8080 7080" ssh_ports="22" ftp_ports="21 8021 7021" https_ports="443" imap_ssl_ports="993 143" all_http_ports= $http_ports $https_ports tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports pass in quick inet proto tcp from any to $web_server port $tcp_ports flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) Here are my questions concerning this much: * Why does the parser render "from any to $web_server" as "from any to any"? That's not what I specified! * Why does the parser render "port $tcp_ports" as "port = ssh"? That's not what I specified, either! * Why does the parser automatically reduce my variables max-src-conn and max-src-conn-rate (okay because the proportion is the same?) TIA, beno