Thread: pf config error
View Single Post
  #1   (View Single Post)  
Old 29th August 2009
Stellar Stellar is offline
Port Guard
 
Join Date: Aug 2009
Posts: 26
Default pf config error

my box setup only have 1 nic detected as em0,i will add more ethernet card as soon i finished all the server setup,for know the nic i used both for internal and internet traffic,search arround found an article on : http://bash.cyberciti.biz/firewall/pf-firewall-script/ , added some slight modification,here we goes :
Code:
#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.blockip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "192.168.1.1/24"
 
# connected to internet
ext_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything
block in all
block return 
 
# keep stats of outgoing connections
pass out keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $ext_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
 
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
 
# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in on $ext_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
boom!error
Quote:
-bash-3.2# pfctl -vf /etc/pf.conf
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
table <blockedip> persist file "/etc/pf.blockip.conf"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
adminrange = "192.168.1.1/24"
ext_if = "em0"
/etc/pf.conf:27: syntax error
set skip on { lo0 em0 }
/etc/pf.conf:54: syntax error
/etc/pf.conf:81: syntax error
pfctl: Syntax error in config file: pf rules not loaded
as you can see there is 3 error,but i have no idea to debug the error,like the first error if translate correctly 27 as line no? line 27 is empty space,line 54 is this comment "#Block RFC 1918 addresses" ,and 81 is eof :/

Last edited by J65nko; 29th August 2009 at 08:20 PM. Reason: Replaced php code block by normal code
Reply With Quote