|
||||
Pf.conf:29 syntax error
Greetings to All,
I'm running OpenBSD 5.2 GENERIC #339 i386 I'm trying to build my pf.conf. I have tried using the one posted here by Oko: http://www.daemonforums.org/showthread.php?t=4187 When I input the statement: Code:
scrub in all random-id fragment reassemble scrub out all random-id fragment reassemble Code:
pfctl -f /etc/pf.conf http://www.openbsd.gr/faq/pf/scrub.html So I used the simple statement: Code:
scrub in all Code:
Pf.conf:29 syntax error pfctl: Syntax error in config file: pf rules not loaded Questions: What am I doing wrong? Are all the rules not loaded because of this error? Thank you and regards to all
__________________
Speak softly and carry BSD! |
|
||||
www.openbsd.gr is NOT up to date. Look at the timestamp on that webpage:
Code:
$OpenBSD: scrub.html,v 1.15 2008/07/30 10:35:44 nick Exp $ |
|
||||
|
|
||||
Please forgive me, I don't underdstand.
You mentioned: Quote:
I did a man pf and I get PF(4) Thanks...
__________________
Speak softly and carry BSD! |
|
||||
The PF User's Guide has an example of the match filter used with scrub. Note, please, that the PF User's Guide is only for the most recent release, which at this time is OpenBSD 5.2. (OpenBSD 5.3 is expected to be released on or about 1 May.)
The options for scrub can be found in the PACKET NORMALIZATION section of the pf.conf(5) man page, which has a second example of the match filter used with scrub and a different set of normalization options. A third example may be found in the EXAMPLES section of the man page. Lastly, the definitive syntax for scrub may be found in the GRAMMAR section of the man page. |
|
||||
Quote:
Quote:
Quote:
You asked for advice on your pf.conf. I noticed:
|
|
||||
Thanks for your prompt and instructive response.
You wrote: You are using RCF 1918 addresses (192.168) without defining any Network Address Translation rules. This will likely be a problem. I have to study how to do this definition. You also mentioned: Your $internal_network and $external_network macros are defined but never used. This should not cause any problems; it merely tends to indicate you built your pf.conf file with copy/paste. I thought that copy/paste was to easy and on top of that I could not SSH into the OBSD box so I typed them in with the hope of understanding the commands as I read along with the manual. I also did it this way so that I can test each individual rule to make sure that the syntax was correct. I'm paying my dues. I'm still trying to understand how to safely use the defined macros/tables. What I am working towards is, to put a web and ftp server on the DMZ which I have not defined just yet. I really do appreciate your comments. Regards,...
__________________
Speak softly and carry BSD! |
|
||||
Quote:
Code:
block return in quick on $int_if proto tcp from ! 192.168.2.1 \ to $int_if port ssh I recommend adding comments for the purpose of every rule. That way, several years from now, you won't have to ask yourself, "WTF?!!?" when you read the rule set. Lastly, I do see a nat-to rule after all; its the last rule in your set. My apologies. I guess I'm used to seeing NAT in match rules at the top of a ruleset, rather than as a pass rule at the bottom. |
|
||||
Jggimi thanks again,
Prior to my last post I did some troubleshooting since I could not SSH into the box, by enabling DHCP. That was a no go. I then disabled pf and had the same problem. So it had to be the cable, changed the cable and it was all good. The only issue I have is that it takes about 15+ seconds after I initiate Putty, with the username to get a response for the password. You are absolutely right. Your last response alerted me that I should have documented my rules. I'm in the process of doing that to prevent that WTF! It will also aid me in re-enforcing my learning. Quote:
I defined, Macros, Tables, Queueing, Filtering, Should create another section? or where in the difined section should I place NAT rules? Regards,...
__________________
Speak softly and carry BSD! |
|
|||
Quote:
http://home.nuug.no/~peter/pf/ You will find examples where he discusses rule sets utilizing NAT. The above manuscript was also the basis for Hansteen's book, The Book of PF. |
|
||||
Quote:
Historically, NAT and packet normalizations had their own rules that came before the filter set, so when we migrated to match we all left them in the same location, ahead of the pass/block rules. The match rules differ from block/pass in that the parameters they set always apply, the "last matching" rule does not apply to them. (I note Peter Hansteen uses match rules and puts them in above all block/pass rules also. Anything Peter does with PF is, to me, a Best Practice. ) |
|
||||
Greetings to All,
I finally figured out why: Code:
scrub in all Code:
Pf.conf:29 syntax error pfctl: Syntax error in config file: pf rules not loaded http://home.nuug.no/~peter/pf/en/scrub.html Solved!
__________________
Speak softly and carry BSD! |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Am I blind? syntax error: `(' unexpected | guitarscn | Programming | 1 | 10th November 2010 08:53 PM |
shc unistd.h:239: error: syntax error before '&' token | laraaj | OpenBSD General | 3 | 11th September 2010 07:21 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
I need help with make.conf syntax | troberts | FreeBSD Ports and Packages | 4 | 1st June 2008 03:58 AM |
relayd (and hoststated) give syntax error for 'check script' | gwl | OpenBSD Security | 2 | 2nd May 2008 04:53 PM |