View Single Post
  #1   (View Single Post)  
Old 30th March 2009
Quaxo Quaxo is offline
Port Guard
Join Date: Jun 2008
Posts: 29
Question A PF packet tagging (policy filtering) question...


I'm experimenting with the rules for packet tagging but when I check the syntax of the rules I get errors...

/# pfctl -n -f /etc/pf.conf.test
/etc/pf.conf.test:102: syntax error
/etc/pf.conf.test:105: syntax error
/etc/pf.conf.test:108: syntax error
these lines corresponds to my packet tagging experiment rules in the file /etc/pf.conf.test ...

# Tag roper -> inet
block out on $ext_if from $my_ip tag ROPER_to_INET # line 99

   # Allow roper -> inet DNS
   pass quick tagged ROPER_to_INET proto udp to $dns_ip port domain  # line 102

   # Allow roper -> inet NTP
   pass quick tagged ROPER_to_INET proto udp to $ntp_ip port ntp # line 105

   # Allow roper -> inet pkg_add
   pass quick tagged ROPER_to_INET proto tcp to $pkg_ip # line 108
"roper" is the router/firewall. "inet" is the internet. The idea here is to tag all packets that originate from Roper and are destined to internet (ie. line 99), then have "secondary rules" that decide which of those tagged packets that are allowed to pass out to the internet (ie. line 102,105 and 108). Can anyone see why I get syntax errors here?

Thanks in advance
Reply With Quote