Hi leute,
ich hab ein Problem mit einer firewall regel unter openbsd 3.9:
--
pass in log quick on $EXT_IF inet proto \
tcp from any to any port $SSH_PORT $TCP_OPTIONS \
(max-src-conn 100, max-src-conn-rate 3/45, overload <abuse> flush)
--
ein pfctl -F rules -f /etc/pf.conf bringt ein:
/etc/pf.conf:47: syntax error
pfctl: Syntax error in config file: pf rules not loaded
die gleiche regel tut aber auf einem openbsd 3.8!
naja, vllt bin ich schon blind, oder sieht von euch jmd den fehler?
danke schon mal fuer die hilfe
netter gruss
--pf.conf --
# ------------------------------------
# pf.conf
# ------------------------------------
# -- Makros --
EXT_IF = "sis0"
TCP_SERVICES = "{ 113 }"
SSH_PORT = "{ 22 }"
TCP_OPTIONS = "modulate state flags S/SA"
PRIV_NETS = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# -- Tables --
table <abuse> persist
table <evil> persist file "/etc/evil"
# -- Optionen --
set timeout { tcp.first 10, tcp.established 10 }
set timeout interval 10
set timeout frag 15
set optimization aggressive
set block-policy return
set loginterface $EXT_IF
set skip on lo0
#set limit { states 2500, frags 5000, src-nodes 2500, table-entries 20000 }
# -- Scrub --
scrub on $EXT_IF all fragment reassemble random-id
# -- Filter --
block all
block drop in quick on $EXT_IF from $PRIV_NETS to any
block drop out quick on $EXT_IF from any to $PRIV_NETS
block in log quick from <abuse>
block in log quick from <evil>
pass in log quick on $EXT_IF inet proto \
tcp from any to any port $SSH_PORT $TCP_OPTIONS \
(max-src-conn 100, max-src-conn-rate 3/45, overload <abuse> flush)
pass in on $EXT_IF inet proto tcp from any to ($EXT_IF) \
port $TCP_SERVICES flags S/SA keep state
pass in inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT_IF proto tcp all $TCP_OPTIONS
pass out on $EXT_IF proto { udp, icmp } all keep state
# -- EOF --
ich hab ein Problem mit einer firewall regel unter openbsd 3.9:
--
pass in log quick on $EXT_IF inet proto \
tcp from any to any port $SSH_PORT $TCP_OPTIONS \
(max-src-conn 100, max-src-conn-rate 3/45, overload <abuse> flush)
--
ein pfctl -F rules -f /etc/pf.conf bringt ein:
/etc/pf.conf:47: syntax error
pfctl: Syntax error in config file: pf rules not loaded
die gleiche regel tut aber auf einem openbsd 3.8!
naja, vllt bin ich schon blind, oder sieht von euch jmd den fehler?
danke schon mal fuer die hilfe
netter gruss
--pf.conf --
# ------------------------------------
# pf.conf
# ------------------------------------
# -- Makros --
EXT_IF = "sis0"
TCP_SERVICES = "{ 113 }"
SSH_PORT = "{ 22 }"
TCP_OPTIONS = "modulate state flags S/SA"
PRIV_NETS = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# -- Tables --
table <abuse> persist
table <evil> persist file "/etc/evil"
# -- Optionen --
set timeout { tcp.first 10, tcp.established 10 }
set timeout interval 10
set timeout frag 15
set optimization aggressive
set block-policy return
set loginterface $EXT_IF
set skip on lo0
#set limit { states 2500, frags 5000, src-nodes 2500, table-entries 20000 }
# -- Scrub --
scrub on $EXT_IF all fragment reassemble random-id
# -- Filter --
block all
block drop in quick on $EXT_IF from $PRIV_NETS to any
block drop out quick on $EXT_IF from any to $PRIV_NETS
block in log quick from <abuse>
block in log quick from <evil>
pass in log quick on $EXT_IF inet proto \
tcp from any to any port $SSH_PORT $TCP_OPTIONS \
(max-src-conn 100, max-src-conn-rate 3/45, overload <abuse> flush)
pass in on $EXT_IF inet proto tcp from any to ($EXT_IF) \
port $TCP_SERVICES flags S/SA keep state
pass in inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT_IF proto tcp all $TCP_OPTIONS
pass out on $EXT_IF proto { udp, icmp } all keep state
# -- EOF --
