From owner-freebsd-pf@FreeBSD.ORG Wed Nov 30 00:00:47 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF0116A51A for ; Wed, 30 Nov 2005 00:00:44 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id B40C843D9F for ; Wed, 30 Nov 2005 00:00:24 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATNxuUf013765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Nov 2005 18:59:56 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CEBED.6030002@forrie.com> Date: Tue, 29 Nov 2005 19:01:49 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: Daniel Hartmeier References: <438CE6CA.2030508@forrie.com> <20051129234513.GG23781@insomnia.benzedrine.cx> <438CE8D5.6050605@forrie.com> <20051129235807.GH23781@insomnia.benzedrine.cx> In-Reply-To: <20051129235807.GH23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: Variable parsing difference between OpenBSD and FreeBSD? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 00:00:47 -0000 Sorry, I meant to say that I'm not using "netris" (that was just an example). The filters "fail" in that only traffic for imap and possibly smtp get through, the rest did not. I wasn't able to figure out "why" in that case, as when I added the commas it works fine now. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 06:48:37PM -0500, Forrest Aldrich wrote: > > >> Yes, it was the only variable that I changed. Once I added the commas, >> it works like a charm. >> >> But see my previous post - maybe there's a connection. Where I can't >> get to my public address via the private net (I have my pf.conf posted, >> pre-comma addition). >> > > Well, "it fails" is not a very precise description. Does pfctl refuse to > load the ruleset and produce an error message? If so, please provide the > precise error message it prints. > > For instance, if I use the symbolic port name "netris" from the OpenBSD > example (which isn't in FreeBSD's /etc/services), I get > > # pfctl -nvf /etc/pf.conf > tcp_services = "imap imaps http netris" > /etc/pf.conf:3: unknown port netris > > # cat -n /etc/pf.conf | grep -B 1 -A 1 '^ * 3' > 2 rdr pass on gem0 inet proto tcp from any to 10.1.1.60 \ > 3 port { $tcp_services } -> 10.1.1.60 > > If it's not a syntax problem pfctl complains about, please explain how > "it fails", i.e. what you expect it to do and what you observe it doing > that differs from expectations. I can't imagine how the commas make a > semantic (but not a syntactic) difference. > > Daniel >