From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 01:00:07 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E388116A4CE for ; Tue, 8 Feb 2005 01:00:07 +0000 (GMT) Received: from mail.meangrape.com (mail.meangrape.com [209.223.7.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 61DB543D1D for ; Tue, 8 Feb 2005 01:00:05 +0000 (GMT) (envelope-from jay@meangrape.com) Received: (qmail 19224 invoked by uid 1002); 8 Feb 2005 01:01:12 -0000 Date: Mon, 7 Feb 2005 19:01:12 -0600 From: Jay To: freebsd-pf@freebsd.org Message-ID: <20050208010112.GC17904@mail.meangrape.com> Mail-Followup-To: Jay , freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Y5rl02BVI9TCfPar" Content-Disposition: inline X-PGP-Signature: C9C8 6FEE 0E34 A778 8D4A 5240 B5C6 6B4A C364 241A User-Agent: Mutt/1.5.6i Subject: rule ordering X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 01:00:08 -0000 --Y5rl02BVI9TCfPar Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm putting in a NAT rule for the first time. My pf.conf is just edited =66rom the original. When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the following error message: /etc/pf.conf:62: Rules must be in order: options, normalization, queueing, translation, filtering A perfectly understandable error message -- queuing should be before translation. As in the following snippet from my pf.conf: # Queueing: rule-based bandwidth control. altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \ keep state queue (q_def, q_pri) pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \ keep state queue (q_def, q_pri) # Translation: specify how addresses are to be mapped or redirected. nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161 Yup. Looks like queueing before translation. But that's the snippet that throws the error. If I comment out all of the ALTQ rules, pfctl -n -f /etc/pf.conf works fine. Also the same if I comment out the NAT rule. =20 My full pf.conf is available at http://www.meangrape.com/Members/jayed/configurations/pf.conf/ (Yeah, I know, I know -- things probably look ugly -- no, I don't know why that comment or rule is in there any more -- I'm constantly playing around with it -- I'm not obfuscating the IPs because that's a stupid idea...if my firewall works, it works; hiding the IPs isn't going to make a difference. However, if anyone feels the urge to provide constructive criticism, I'm all ears). --=20 Jay. --Y5rl02BVI9TCfPar Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCCA9YtcZrSsNkJBoRAoWTAJ9+njucaHAXUWGyP0PEXDRj+7KK3ACfXnyq caW0KuqmgXlsTX2u0JjYeyk= =If6C -----END PGP SIGNATURE----- --Y5rl02BVI9TCfPar--