|
|||
pf.conf label question
Hello
I have the following rule in my pf.conf (on OpenBSD 4.3) Code:
rdr pass on $new_if proto tcp from any to 123.123.123.33 port {80,443} -> 10.0.0.99 Code:
rdr pass on $new_if proto tcp from any to 123.123.123.33 port {80,443} label test -> 10.0.0.99 pfctl: Syntax error in config file: pf rules not loaded Any ideas how I can set the label to this rule. I don't want to split it to a rdr and a pass rule. That works, I want to have it in the same rule. Thanks |
|
|||
OpenBSD 4.3 was released in May 2008, & official support ended May 2009 -- nearly 2.5 years ago. Is there a reason why you are using such an old version?
If you are using information from the current PF Users' Guide, recognize that pf(4) has undergone radical changes in the intervening years. Using information from the current 5.0 Guide will likely not work on OpenBSD 4.3 & vice versa. If you must use OpenBSD 4.3, your best bet is to resurrect the PF Users' Guide from the 4.3 era which can be found at the following: http://www.openbsd.org/cgi-bin/cvsweb/www/faq/pf/ Last edited by ocicat; 13th December 2011 at 06:52 PM. |
|
|||
In normal pf rules labels come last. An example from my workstation pf.conf
Code:
pass out quick on egress inet proto tcp from egress to any port www label "$nr:$proto:WWW" pass out quick on egress inet proto tcp from egress to any port imaps label "$nr:$proto:IMAPS" pass out quick on egress inet proto tcp from egress to any port https label "$nr:$proto:HTTPS" pass out quick on egress inet proto tcp from egress to any port smtp label "$nr:$proto:SMTP" Code:
filteropt-list = filteropt-list filteropt | filteropt filteropt = user | group | flags | icmp-type | icmp6-type | tos | ( "no" | "keep" | "modulate" | "synproxy" ) "state" [ "(" state-opts ")" ] | "fragment" | "no-df" | "min-ttl" number | "max-mss" number | "random-id" | "reassemble tcp" | fragmentation | "allow-opts" | "label" string | "tag" string | [ ! ] "tagged" string | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number"%" Code:
pf-rule = action [ ( "in" | "out" ) ] [ "log" [ "(" logopts ")"] ] [ "quick" ] [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ] hosts [ filteropt-list ] Now look at the BNF for the 4.3 rdr statement: Code:
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] ] PS: The 4.3 pf.conf manual can be found at http://www.openbsd.org/cgi-bin/man.c...86&format=html No need to resurrect an old pf.conf faq
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I know that is very old, currently a bit afraid of upgrading the system as it is just working more then perfect. But it's a task for next year to upgrade that server. So in that case I assume that i first need to upgrade and then come back here in case it does not work ;-)
|
|
|||
Quote:
...& given that pf(4) has gone through major revision itself, study both the User's Guide & manpage as previously mentioned, & build a new pf.conf(5) file from scratch. You will learn from the process & better understand how to modify it later. |
|
|||
thanks for that information, it's very helpful... as you can assume, I never upgraded openbsd, but i just got thorugh the upgrade info from openbsd. I think it's fastest do install a fresh 5.0 and copy over the relevant config files ;-)
|
|
|||
Quote:
|
|
|||
As a final comment, studying the information in Section 4 of the FAQ is also paramount to understanding the install process. Upgrading is nominally discussed there as well.
There is a wealth of information to be found in both the FAQ & Upgrade Guides. Studying these beforehand with alleviate aggravation & prevent blunders. Many of the questions/situations we deal with here are from those that don't take the time to understand the information contained. |
|
||||
since 4.3, bridge file syntax has changed, among other things in pf.... if you can build out your new version 5 firewall in parallel to the production one, and put one non-important host behind it, its not a bad way to debug/test your new ruleset.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Using fetchmail as IMAP client to download mail from a Gmail folder(label) | J65nko | Guides | 1 | 8th November 2022 07:44 PM |
quick question about optimizations in /etc/make.conf | thevirtuesofxen | FreeBSD Installation and Upgrading | 7 | 15th July 2008 10:29 AM |
PF and label counters | espenfjo | FreeBSD General | 2 | 2nd July 2008 03:17 PM |
mplayer osd - set label of audio channel | Grizzly | FreeBSD General | 0 | 7th June 2008 08:37 PM |
FreeBSD Crashes: GEOM_LABEL: Label for provider ad8s1 is ntfs | disappearedng | FreeBSD General | 4 | 5th June 2008 04:10 PM |