[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

help with pf syntax

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: help with pf syntax
From: Matthew S Elmore <elmore_(_at_)_dbtech_(_dot_)_net>
Date: Wed, 3 Nov 2004 10:10:40 -0600

I'm setting up pf on one of my machines and I am getting some syntax errors and cannot determine why they are occurring. I have declared $GoodPorts as the ports to allow traffic to come through, yet when I try to use this in a rule it gives me syntax errors. Let me know what I'm doing wrong. Much appreciated!

All other rules parse successfully. These are the lines giving me trouble:

GoodPorts = "{ 21, 22, 23, 25, 53, 80, 113, 443, 5224 }"

# allow specified traffic to pass through
pass in  on $Int from all to $Int port $GoodPorts
pass out on $Int from $Int to all port $GoodPorts

And here is my entire pf.conf:

# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# variable declarations Int = xl0 GoodPorts = "{ 21, 22, 23, 25, 53, 80, 113, 443, 5224 }" NullRoutes = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# vpn variable declarations
GATEWAY_A = "192.168.1.254/32"
GATEWAY_B = "204.214.213.1/32"
NETWORK_A = "192.168.1.0/24"
NETWORK_B = "204.214.213.0/24"

# options
set loginterface $Int

# packet normalization
#scrub in all

# allow all loopback traffic
pass quick on lo0 all

# default deny
block in  log on { enc0, $Int } all
block out log on { enc0, $Int } all

# null route specified blocks
block in  on $Int from $NullRoutes to any
block out on $Int from any to $NullRoutes

# allow specified traffic to pass through
pass in  on $Int from all to $Int port $GoodPorts
pass out on $Int from $Int to all port $GoodPorts

# allow all traffic on local subnet
#pass in  on $Int from all to 204.214.213.0/24
#pass out on $Int from 204.214.213.0/24 to all

#############
# vpn stuff #
#############

# pass encrypted traffic from subnet a to subnet b
pass in  proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B

# allow ipencap traffic on enc0
pass in on enc0 proto ipencap all

# pass in traffic from desginated subnets
pass in  on enc0 from $NETWORK_B to $NETWORK_A
pass out on enc0 from $NETWORK_A to $NETWORK_B

# pass in isakmpd(8) traffic from security gateways pass in on $Int proto udp from $GATEWAY_B port = 500 to $GATEWAY_A port = 500 pass out on $Int proto udp from $GATEWAY_A port = 500 to $GATEWAY_B port = 500


====================================
Matthew S Elmore
dbTechnology Inc.			Tuscaloosa, AL
www.dbtech.net  			(205) 556-9020

Prev by Date: pcmcia modem - plugged in - nothing in messages
Next by Date: Choice of NICs for firewall (~50MB thruput)
Previous by thread: pcmcia modem - plugged in - nothing in messages
Next by thread: Choice of NICs for firewall (~50MB thruput)
Index(es):
- Date
- Thread

Visit your host, monkey.org