rule ordering
Jay
jay at meangrape.com
Mon Feb 7 17:00:08 PST 2005
I'm putting in a NAT rule for the first time. My pf.conf is just edited
from the original.
When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the
following error message:
/etc/pf.conf:62: Rules must be in order: options, normalization,
queueing, translation, filtering
A perfectly understandable error message -- queuing should be before
translation. As in the following snippet from my pf.conf:
# Queueing: rule-based bandwidth control.
altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \
keep state queue (q_def, q_pri)
pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \
keep state queue (q_def, q_pri)
# Translation: specify how addresses are to be mapped or redirected.
nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161
Yup. Looks like queueing before translation. But that's the snippet
that throws the error. If I comment out all of the ALTQ rules, pfctl -n
-f /etc/pf.conf works fine. Also the same if I comment out the NAT
rule.
My full pf.conf is available at
http://www.meangrape.com/Members/jayed/configurations/pf.conf/
(Yeah, I know, I know -- things probably look ugly -- no, I don't know
why that comment or rule is in there any more -- I'm constantly playing
around with it -- I'm not obfuscating the IPs because that's a stupid
idea...if my firewall works, it works; hiding the IPs isn't going to
make a difference. However, if anyone feels the urge to provide
constructive criticism, I'm all ears).
--
Jay.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050207/5ec836bf/attachment.bin
More information about the freebsd-pf
mailing list