Syntax errors in pf.conf
Forrest Aldrich
forrie at forrie.com
Fri Dec 9 14:06:09 PST 2005
Hi there,
First, does there exist a tidy-like syntax checker for the pf.conf
file. That would be handy.
I'm writing a new pf.conf, based on Policy Filtering, and running into
some problems.
What I'm trying to do is:
rdr on $ext_if proto tcp from !<geoip>, !<spammers>, !<abuse> any \
port { $tcp_services } tag INET_DMZ -> $server
rdr on $ext_if proto tcp from !<abuse> any \
port 80 tag INET_DMZ -> $server
rdr on $ext_if proto tcp from !<abuse> any \
port 443 tag INET_DMZ -> $server
And pfctl complains that there is a syntax error on all of these. I'm
trying to set this up, so that IP classes in the named tables are
negated and not allowed through, taking the rest and handling accordingly.
It's not clear to me I can even use negation here, but in this scenario
it has to
be used, otherwise the packets get through. Or, if not, there must be
a more
elegant way to accomplish it.
I'm certain this is possible, however I've not found many good examples
to consult (including the PF Handbook, which does not address negation
in these rules).
Thanks.
More information about the freebsd-pf
mailing list