DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st December 2013
marciorufino01 marciorufino01 is offline
New User
 
Join Date: Nov 2013
Posts: 9
Default Pf open5.4 not accept rule

Hi,

I have the following table and rule in pf.conf

table <PASS_FTP> { 192.168.20.3 192.168.20.5 192.168.20.6 192.168.20.8 }

pass in quick on $int_if proto tcp from <PASS_FTP> to any port 21 divert-to 127.0.0.1 port 8021

with this rule, I allow only those ips ftp but please do not load the rule and displays the following error

pfctl -f /etc/pf.conf
/etc/pf.conf:139: address family mismatch for divert
pfctl: Syntax error in config file: pf rules not loaded

Anyone know if it has syntax error?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I believe that the filter option divert cannot use a table. Replace the table with a list.
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

On an old 5.2 snapshot adding inet fixes the syntax error
Code:
table <PASS_FTP> { 192.168.20.3 192.168.20.5 192.168.20.6 192.168.20.8 }

pass in quick on $int_if inet proto tcp from <PASS_FTP> to any port 21 divert-to 127.0.0.1 port 8021
A syntax check load:
Code:
#  pfctl -vvnf syntax.pf 
Loaded 710 passive OS fingerprints
int_if = "re0"
table <PASS_FTP> { 192.168.20.3 192.168.20.5 192.168.20.6 192.168.20.8 }
@0 pass in quick on re0 inet proto tcp from <PASS_FTP:0> to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Excellent solution, J65nko.

Edited to add:
  • If a single IPv4 address is used, inet is assumed.
  • If a list of IPv4 addresses is used, PF expands the list to multiple single-address rules.
  • If a table is used instead, PF requires the explicit inet, as the table could contain either IPv4 or IPv6 addresses. The divert-to filter option does not alter packets; they are required to be diverted within the same address family. In this case, that is IPv4.

Last edited by jggimi; 21st December 2013 at 09:17 PM. Reason: expanded remarks
Reply With Quote
  #5   (View Single Post)  
Old 22nd December 2013
marciorufino01 marciorufino01 is offline
New User
 
Join Date: Nov 2013
Posts: 9
Default

J65nko, thanks for the reply.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf NAT rule isn't working flit OpenBSD Security 8 30th September 2013 02:45 AM
4 py-*** packages wouldn't accept uninstall or repair daemonfowl OpenBSD Packages and Ports 8 4th June 2013 06:21 PM
Public WiFi and accept screens phyro OpenBSD Installation and Upgrading 10 10th January 2013 09:36 PM
Help with my pf rule please whispersGhost OpenBSD Security 0 19th April 2012 07:54 AM
How to get 'make' to accept all defaults for dependent packages Xeon FreeBSD Ports and Packages 1 12th February 2009 01:54 AM


All times are GMT. The time now is 04:05 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick