From owner-freebsd-pf@FreeBSD.ORG Wed Aug 23 15:05:58 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E3316A4EA for ; Wed, 23 Aug 2006 15:05:58 +0000 (UTC) (envelope-from mime@traveller.cz) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFE7A43D5A for ; Wed, 23 Aug 2006 15:05:57 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from localhost.i.cz (ss.eunet.cz [193.85.228.13]) by ss.eunet.cz (8.13.6/8.13.6) with ESMTP id k7NF5pnk066415 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 23 Aug 2006 17:05:52 +0200 (CEST) (envelope-from mime@traveller.cz) From: Michal Mertl To: beno In-Reply-To: <44EC60F9.2080102@2012.vi> References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> Content-Type: text/plain Date: Wed, 23 Aug 2006 17:05:28 +0200 Message-Id: <1156345528.1543.134.camel@genius.i.cz> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 15:05:58 -0000 beno wrote: > Michal Mertl wrote: > > Note that no quoting is necessary here and the parser doesn't care much > > about whitespace. If you run pfctl with "-v" you shall see the macro > > expansion which should help in understanding the parser and finding out > > errors. > > > That does help! Thanks! Now, throwing that flag with the others (-f and > -n) I now get the following errors: > > set fingerprints /etc/pf.os > pfctl: /etc/pf.os : No such file or directory I expect you removed all " characters from the file? Apparently in some places they matter (e.g. set fingerprints). Maybe the explanation is that it doesn't require quoting of numbers (including single IP address) but does require quoting of texts. Why don't you just make a single modification at a time? It is very difficult to help you as it is difficult to guess what have you done. We don't know the exact contents of the file you were loading, by which command and what was the full output of pfctl. > /etc/pf.conf:24: syntax error > Here's that line, which the parser doesn't parse, preceded by other > lines in question: > shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 > 202.71.106.118 202.71.106.188 203.142.1.8" > directv_ip_addresses="{ 69.19.0.0/17 }" > shadday_ip_addresses="" > ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses > $shadday_ip_addresses > > Now, we've been here before, and I was instructed to write the > directv_ip_address line just so, but now the parser is throwing another > error based on that very variable yet again! (I have singled it out > through experimentation.) What doesn't it like this time? Does shinjiru_ip_addresses macro definition span multiple lines? If so, you need to fix it by typing \ at the end of the line which continues on another. > /etc/pf.conf:68: syntax error > pass in quick proto tcp from any to any port = ssh flags S/SA keep state > (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload > flush global, if-bound, src.track 3) > > when the actual lines I wrote are these: Does the rule span multiple lines again? > Here are my questions concerning this much: > * Why does the parser render "from any to $web_server" as "from any to > any"? That's not what I specified! I don't know what you have specified and what was the result. > * Why does the parser render "port $tcp_ports" as "port = ssh"? That's > not what I specified, either! You probably forgot to surround the macro invocation with {} (wrote "port $macro_with_multiple_ports" instead of "port { $macro_with_multiple_ports }" (without quotes). > * Why does the parser automatically reduce my variables max-src-conn and > max-src-conn-rate (okay because the proportion is the same?) Probably not. It works for me. All of the following work: -- set fingerprints "/etc/pf.os" adrs1 = "{ 69.19.0.0/17 10/8 }" adrs2 = "69.19.0.0/17 10/8" adr3 = 1.2.3.4 adrs4 = "1.2.3.4 \ 12.5.1.2" smtp_ports = 25 465 pop3_ports = 110 995 email_ports = $smtp_ports $pop3_ports pass in proto tcp from any to any port { $email_ports } pass in proto tcp from any to { $adrs2 } pass in proto tcp from any to $adrs1 pass in quick proto tcp from any to $adr3 port = ssh flags S/SA keep state \ (source-track rule, max-src-conn 15, max-src-conn-rate 15/5, \ overload flush global, if-bound, src.track 3) -- Michal