rule ordering

Jay jay at meangrape.com
Mon Feb 7 20:49:46 PST 2005 

Thanks!  Makes perfect sense.

On Mon, Feb 07, 2005 at 11:44:29PM -0500, solarflux.org/pf wrote:
> Jay wrote:
> >I'm putting in a NAT rule for the first time.  My pf.conf is just edited
> >from the original.
> >
> >When I insert the NAT rule and run pfctl -n -f /etc/pf.conf, I get the
> >following error message:
> >
> >	/etc/pf.conf:62: Rules must be in order: options, normalization,
> >queueing, translation, filtering
> >
> >A perfectly understandable error message -- queuing should be before
> >translation.  As in the following snippet from my pf.conf:
> >
> >	# Queueing: rule-based bandwidth control.
> >	altq on $ext_1 priq bandwidth 256Kb queue { q_pri, q_def }
> >	queue q_pri priority 7
> >	queue q_def priority 1 priq(default)
> >
> >	pass out on $ext_1 proto tcp from $ext_1 to any flags S/SA \
> >		keep state queue (q_def, q_pri)
> >	pass in on $ext_1 proto tcp from any to $ext_1 flags S/SA \
> >	        keep state queue (q_def, q_pri)
> >
> >	# Translation: specify how addresses are to be mapped or redirected.
> >	nat on rl1 from 192.168.0.0/24 to any -> 209.223.7.161
> >
> >Yup.  Looks like queueing before translation.  But that's the snippet
> >that throws the error.  If I comment out all of the ALTQ rules, pfctl -n
> >-f /etc/pf.conf works fine.  Also the same if I comment out the NAT
> >rule.
> 
> You have pass rules (hence, filtering) in your queueing section; you
> must only set up queueing in that section.  That's why commenting out
> the nat rule or everything in your queueing section allow the pf.conf to
> be parsed successfully.
> 
> -S
> 
> 
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

-- 
Jay.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050207/2b53926d/attachment.bin

More information about the freebsd-pf mailing list