Date: Wed, 23 Aug 2006 17:05:28 +0200 From: Michal Mertl <mime@traveller.cz> To: beno <zope@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question Message-ID: <1156345528.1543.134.camel@genius.i.cz> In-Reply-To: <44EC60F9.2080102@2012.vi> References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi>
next in thread | previous in thread | raw e-mail | index | archive | help
beno wrote:
> Michal Mertl wrote:
> > Note that no quoting is necessary here and the parser doesn't care much
> > about whitespace. If you run pfctl with "-v" you shall see the macro
> > expansion which should help in understanding the parser and finding out
> > errors.
> >
> That does help! Thanks! Now, throwing that flag with the others (-f and
> -n) I now get the following errors:
>
> set fingerprints /etc/pf.os
> pfctl: /etc/pf.os : No such file or directory
I expect you removed all " characters from the file? Apparently in some
places they matter (e.g. set fingerprints). Maybe the explanation is
that it doesn't require quoting of numbers (including single IP address)
but does require quoting of texts.
Why don't you just make a single modification at a time?
It is very difficult to help you as it is difficult to guess what have
you done. We don't know the exact contents of the file you were loading,
by which command and what was the full output of pfctl.
> /etc/pf.conf:24: syntax error
> Here's that line, which the parser doesn't parse, preceded by other
> lines in question:
> shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30
> 202.71.106.118 202.71.106.188 203.142.1.8"
> directv_ip_addresses="{ 69.19.0.0/17 }"
> shadday_ip_addresses=""
> ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses
> $shadday_ip_addresses
>
> Now, we've been here before, and I was instructed to write the
> directv_ip_address line just so, but now the parser is throwing another
> error based on that very variable yet again! (I have singled it out
> through experimentation.) What doesn't it like this time?
Does shinjiru_ip_addresses macro definition span multiple lines? If so,
you need to fix it by typing \ at the end of the line which continues on
another.
> /etc/pf.conf:68: syntax error
> pass in quick proto tcp from any to any port = ssh flags S/SA keep state
> (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload
> <bruteforce> flush global, if-bound, src.track 3)
>
> when the actual lines I wrote are these:
Does the rule span multiple lines again?
> Here are my questions concerning this much:
> * Why does the parser render "from any to $web_server" as "from any to
> any"? That's not what I specified!
I don't know what you have specified and what was the result.
> * Why does the parser render "port $tcp_ports" as "port = ssh"? That's
> not what I specified, either!
You probably forgot to surround the macro invocation with {} (wrote
"port $macro_with_multiple_ports" instead of "port
{ $macro_with_multiple_ports }" (without quotes).
> * Why does the parser automatically reduce my variables max-src-conn and
> max-src-conn-rate (okay because the proportion is the same?)
Probably not. It works for me.
All of the following work:
--
set fingerprints "/etc/pf.os"
adrs1 = "{ 69.19.0.0/17 10/8 }"
adrs2 = "69.19.0.0/17 10/8"
adr3 = 1.2.3.4
adrs4 = "1.2.3.4 \
12.5.1.2"
smtp_ports = 25 465
pop3_ports = 110 995
email_ports = $smtp_ports $pop3_ports
pass in proto tcp from any to any port { $email_ports }
pass in proto tcp from any to { $adrs2 }
pass in proto tcp from any to $adrs1
pass in quick proto tcp from any to $adr3 port = ssh flags S/SA keep
state \
(source-track rule, max-src-conn 15, max-src-conn-rate 15/5, \
overload <bruteforce> flush global, if-bound, src.track 3)
--
Michal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1156345528.1543.134.camel>