Date: Wed, 23 Aug 2006 12:26:42 -0400 From: beno <zope@2012.vi> To: freebsd-pf@freebsd.org Subject: Re: Another Lists/Macros Question Message-ID: <44EC81C2.5050105@2012.vi> In-Reply-To: <1156345528.1543.134.camel@genius.i.cz> References: <44EB6B18.4030201@2012.vi> <8eea04080608221517rd487cf1v35f5372c1a5bb157@mail.gmail.com> <1156318917.1543.11.camel@genius.i.cz> <44EC60F9.2080102@2012.vi> <1156345528.1543.134.camel@genius.i.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Michal Mertl wrote:
> beno wrote:
>
>> Michal Mertl wrote:
>>
>>> Note that no quoting is necessary here and the parser doesn't care much
>>> about whitespace. If you run pfctl with "-v" you shall see the macro
>>> expansion which should help in understanding the parser and finding out
>>> errors.
>>>
>>>
>> That does help! Thanks! Now, throwing that flag with the others (-f and
>> -n) I now get the following errors:
>>
>> set fingerprints /etc/pf.os
>> pfctl: /etc/pf.os : No such file or directory
>>
>
> I expect you removed all " characters from the file? Apparently in some
> places they matter (e.g. set fingerprints). Maybe the explanation is
> that it doesn't require quoting of numbers (including single IP address)
> but does require quoting of texts.
>
This is interesting! No...here's the line I had written:
set fingerprints " /etc/pf.os "
and *that* doesn't work! Why? The s_p_a_c_e_s!!! (So much for the parser not being particular about spacing, either.) This works:
set fingerprints "/etc/pf.os"
Go figure! I guess the parser is v_e_r_y particular ;)
>> /etc/pf.conf:24: syntax error
>> Here's that line, which the parser doesn't parse, preceded by other
>> lines in question:
>> shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30
>> 202.71.106.118 202.71.106.188 203.142.1.8"
>> directv_ip_addresses="{ 69.19.0.0/17 }"
>> shadday_ip_addresses=""
>> ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses
>> $shadday_ip_addresses
>>
>> Now, we've been here before, and I was instructed to write the
>> directv_ip_address line just so, but now the parser is throwing another
>> error based on that very variable yet again! (I have singled it out
>> through experimentation.) What doesn't it like this time?
>>
>
> Does shinjiru_ip_addresses macro definition span multiple lines? If so,
> you need to fix it by typing \ at the end of the line which continues on
> another.
>
No...it's all in one line. Also this works (changing only the line below):
ssh_ip_addresses= $shinjiru_ip_addresses $shadday_ip_addresses
So, the problem is *only* the variable $directv_ip_addresses, which I
excluded in this example. Again, this matter was supposedly put to rest
in an earlier communication with the list, but it has resurrected itself :(
>
>> /etc/pf.conf:68: syntax error
>> pass in quick proto tcp from any to any port = ssh flags S/SA keep state
>> (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload
>> <bruteforce> flush global, if-bound, src.track 3)
>>
>> when the actual lines I wrote are these:
>>
>
> Does the rule span multiple lines again?
>
Yes, written as follows:
pass in quick inet proto tcp from any to $web_server port $tcp_ports
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
Even when I make it all one line, like this:
pass in quick inet proto tcp from any to $web_server port $tcp_ports
flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5,
overload <bruteforce> flush global)
it throws a "syntax error" (no further details this time..?)
>> Here are my questions concerning this much:
>> * Why does the parser render "from any to $web_server" as "from any to
>> any"? That's not what I specified!
>>
>
> I don't know what you have specified and what was the result.
>
I specified this:
pass in quick inet proto tcp from any to $web_server port $tcp_ports
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
flush global)
and this previously:
web_server="202.71.106.119"
http_ports="80 8080 7080"
ssh_ports="22"
ftp_ports="21 8021 7021"
https_ports="443"
imap_ssl_ports="993 143"
all_http_ports= $http_ports $https_ports
tcp_ports= $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports
so I would have expected it to render this:
...from any to 202.71.106.119 port 80 8080 7080 22 21 8021 7021 443 993
143 flags S/SA...
[see below before commenting]
>
>> * Why does the parser render "port $tcp_ports" as "port = ssh"? That's
>> not what I specified, either!
>>
>
> You probably forgot to surround the macro invocation with {} (wrote
> "port $macro_with_multiple_ports" instead of "port
> { $macro_with_multiple_ports }" (without quotes).
>
Now, *that* worked! That yielded the result I was expecting, as noted above!
>
>> * Why does the parser automatically reduce my variables max-src-conn and
>> max-src-conn-rate (okay because the proportion is the same?)
>>
>
> Probably not. It works for me.
>
And me now, with the curly braces.
So, the only problem left, thus far, is the one above concerning the macro
$directv_ip_addresses
Everything else in my initial pf.conf works FINE now!
TIA,
beno
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44EC81C2.5050105>