View Single Post
  #3   (View Single Post)  
Old 13th December 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

In normal pf rules labels come last. An example from my workstation pf.conf
Code:
pass out quick on egress inet proto tcp from egress to any port www label "$nr:$proto:WWW"
pass out quick on egress inet proto tcp from egress to any port imaps label "$nr:$proto:IMAPS"
pass out quick on egress inet proto tcp from egress to any port https label "$nr:$proto:HTTPS"
pass out quick on egress inet proto tcp from egress to any port smtp label "$nr:$proto:SMTP"
In the BNF at the end of the 4.3 pf.conf man page label is a definition of filteropt and a filteropt-list:
Code:
     filteropt-list = filteropt-list filteropt | filteropt

     filteropt      = user | group | flags | icmp-type | icmp6-type | tos |
                      ( "no" | "keep" | "modulate" | "synproxy" ) "state"
                      [ "(" state-opts ")" ] |
                      "fragment" | "no-df" | "min-ttl" number |
                      "max-mss" number | "random-id" | "reassemble tcp" |
                      fragmentation | "allow-opts" |
                      "label" string | "tag" string | [ ! ] "tagged" string |
                      "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                      "rtable" number | "probability" number"%"
The BNF for a pf rule states:
Code:
     pf-rule        = action [ ( "in" | "out" ) ]
                      [ "log" [ "(" logopts ")"] ] [ "quick" ]
                      [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ]
                      hosts [ filteropt-list ]
So the label is one of the last things in a pf rule.

Now look at the BNF for the 4.3 rdr statement:
Code:
     rdr-rule       = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                      [ "on" ifspec ] [ af ]
                      [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                      [ "->" ( redirhost | "{" redirhost-list "}" )
                      [ portspec ] [ pooltype ] ]
Neither a filteropt nor a label to be seen

PS: The 4.3 pf.conf manual can be found at http://www.openbsd.org/cgi-bin/man.c...86&format=html
No need to resurrect an old pf.conf faq
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote