Another Lists/Macros Question

beno zope at 2012.vi
Wed Aug 23 14:07:05 UTC 2006 

Michal Mertl wrote:
> Note that no quoting is necessary here and the parser doesn't care much
> about whitespace. If you run pfctl with "-v" you shall see the macro
> expansion which should help in understanding the parser and finding out
> errors.
>   
That does help! Thanks! Now, throwing that flag with the others (-f and 
-n) I now get the following errors:

set fingerprints  /etc/pf.os
pfctl:  /etc/pf.os : No such file or directory

In fact, there *is* such a file, and it's the default! I haven't edited 
it, changed perms, etc. Now, if I recall correctly, I don't need to 
actually cite that file, since the parser will include it automatically; 
however, there is certainly nothing wrong with doing so, therefore it 
should not throw an error! Wazzup?
server167# ls -al /etc/|grep pf.os
-rw-r--r--   1 root  wheel     26591 Aug 17 18:32 pf.os
(I'm in as root.)

/etc/pf.conf:24: syntax error
Here's that line, which the parser doesn't parse, preceded by other 
lines in question:
shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30 
202.71.106.118 202.71.106.188 203.142.1.8"
directv_ip_addresses="{ 69.19.0.0/17 }"
shadday_ip_addresses=""
ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses 
$shadday_ip_addresses

Now, we've been here before, and I was instructed to write the 
directv_ip_address line just so, but now the parser is throwing another 
error based on that very variable yet again! (I have singled it out 
through experimentation.) What doesn't it like this time?


/etc/pf.conf:68: syntax error
pass in quick proto tcp from any to any port = ssh flags S/SA keep state 
(source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload 
<bruteforce> flush global, if-bound, src.track 3)

when the actual lines I wrote are these:
web_server="202.71.106.119"
http_ports="80 8080 7080"
ssh_ports="22"
ftp_ports="21 8021 7021"
https_ports="443"
imap_ssl_ports="993 143"
all_http_ports= $http_ports $https_ports
tcp_ports=  $ssh_ports $ftp_ports $all_http_ports $imap_ssl_ports
pass in quick inet proto tcp from any to $web_server port $tcp_ports 
flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> 
flush global)

Here are my questions concerning this much:
* Why does the parser render "from any to $web_server" as "from any to 
any"? That's not what I specified!
* Why does the parser render "port $tcp_ports" as "port = ssh"? That's 
not what I specified, either!
* Why does the parser automatically reduce my variables max-src-conn and 
max-src-conn-rate (okay because the proportion is the same?)
TIA,
beno

More information about the freebsd-pf mailing list