Solved Cannot parse pf new config file

[fred974]

Hi there,
Could someone please help me understand what is wrong here?
what does "IP address found for lo1" mean?
$ sudo pfctl -vnf /etc/pf.conf

ExtIf = "xn0"
IntIf = "lo1"
WebProxy = "10.8.20.10"
WorkSsh = "213.123.123.123"
IcmpPing = "icmp-type 8 code 0"
SshQueue = "(ssh_bulk, ssh_login)"
SynState = "flags S/SA synproxy state"
TcpState = "flags S/SA modulate state"
UdpState = "keep state"
OpenSTO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO = "(max  200, source-track rule, max-src-conn  10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO = "(max  100, source-track rule, max-src-conn  10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
WebSTO = "(max  4096, source-track rule, max-src-conn  64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/var/db/pf/block_permanent.table"
set skip on { lo }
set debug urgent
set block-policy drop
set loginterface xn0
set state-policy if-bound
set fingerprints "/etc/pf.os"
set optimization normal
set timeout tcp.closing 60
set timeout tcp.established 7200
no IP address found for lo1:network
/etc/pf.conf:81: could not parse host specification
/etc/pf.conf:92: syntax error
no IP address found for lo1:network
/etc/pf.conf:98: could not parse host specification
/etc/pf.conf:131: syntax error
no IP address found for lo1:network
/etc/pf.conf:142: could not parse host specification
no IP address found for lo1:network
/etc/pf.conf:143: could not parse host specification
no IP address found for lo1:network
/etc/pf.conf:144: could not parse host specification
no IP address found for lo1:network
/etc/pf.conf:145: could not parse host specification
no IP address found for lo1:network
/etc/pf.conf:146: could not parse host specification
no IP address found for lo1
/etc/pf.conf:152: could not parse host specification
no IP address found for lo1
/etc/pf.conf:153: could not parse host specification
no IP address found for lo1
/etc/pf.conf:154: could not parse host specification

Here is my /etc/pf.conf file

################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
#
#  Command                          Purpose
#  pfctl -e                         Enable PF
#  pfctl -d                         Disable PF
#  pfctl -f /etc/pf.conf            Tell pf to re-read the pf.conf file after I make a change
#  pfctl -F all -f /etc/pf.conf     Flush all rules (nat, filter, state, table, etc.)
#                                   and reload from the file /etc/pf.conf
#  pfctl -s [ rules | nat | state ] Report on the filter rules, nat rules, or state table
#  pfctl -vnf /etc/pf.conf          Check /etc/pf.conf for errors, but do not load ruleset
#  pfctl -t <TABLENAME> -T show     see what ip addresses are in the abusive hosts tables
#  pfctl -vvs rules | grep @        List out the pf rules in order with rule numbers
#  pfctl -sa                        List out all the pf rules and other options in my rules
#  tcpdump -n -e -ttt -i pflog0     Watch the pf logs in real time
#  tcpdump -n -e -ttt -r pflog0     Cat the pf log file


################ Change History ##########################
# * 2015-07-24    This file was created


################ Macros ###################################
### Interfaces ###
ExtIf ="xn0"
IntIf ="lo1"

### Hosts ###
# OpenSMTPD = "10.10.10.4"
WebProxy  = "10.8.20.10"
WorkSsh   = "123.123.123.123"

### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/SA synproxy state"
#TcpState ="flags S/SA synproxy state"
TcpState ="flags S/SA modulate state"
UdpState ="keep state"

### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/var/db/pf/block_permanent.table"
#table <BLACKLIST> persist
#table <spamd-white>

################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}

################ Queueing ####################################################
# no quality of service (QOS) since QoS controls is monitored and rate shaped by the VPS data centre.

################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
#scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub     log on $ExtIf all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT with static NAT for the WebProxy
nat on $ExtIf from $WebProxy       to any -> ($ExtIf)
nat on $ExtIf from $IntIf:network  to any -> ($ExtIf)

# Hiawatha web server (external users to an internal server?)
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port https -> $WebProxy
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port http  -> $WebProxy

# OpenSMTPD with Spamd
#rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp -> 10.10.10.200 port spamd
#rdr on $ExtIf inet proto tcp from  <spamd-white> to ($ExtIf) port smtp -> 10.10.10.250

# Openssh
rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh -> lo0

# Unbound DNS for LAN machines
#rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain -> lo0

# Ntpd time server for the LAN
rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp -> lo0

# Anchors
#nat-anchor "openvpn"
#rdr-anchor "openvpn"

# Ftp ( secure ftp-proxy for the internal LAN )
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr pass on $IntIf proto tcp from $IntIf:network to any port 21 -> 127.0.0.1 port 8021

# DENY rogue redirection
no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and perm tables
#block in quick on $ExtIf from                     <BLACKLIST> to any
block drop in  log quick on $ExtIf           from <BLOCKPERM> to any
block drop in  log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in  log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh

### $ExtIf default block with drop
block drop in log on $ExtIf

### $ExtIf inbound
#pass in log on $ExtIf inet proto tcp from any to any port $AntiScanPort $TcpState $AntiScanSTO
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy port https $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy port www   $TcpState $WebSTO
#pass in log on $ExtIf inet proto tcp  from  <spamd-white> to 10.10.10.250 port smtp  $TcpState $SmtpSTO
#pass in log on $ExtIf inet proto tcp  from !<spamd-white> to 10.10.10.200 port spamd $TcpState $SmtpSTO
pass in log on $ExtIf inet proto tcp  from  $WorkSsh      to lo0 port ssh   $TcpState $SshSTO

### $ExtIf outbound
pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO

### $IntIf default block with return (TCP reset)
block return in log on $IntIf inet

### $IntIf inbound (restrict LAN clients to external machines here)
pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port https  $TcpState $OpenSTO
pass in log on $IntIf inet proto tcp  from  $IntIf:network to  any     port www    $TcpState $OpenSTO
pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port domain $UdpState $OpenSTO
pass in log on $IntIf inet proto udp  from  $IntIf:network to  lo0     port ntp    $UdpState $OpenSTO
pass in log on $IntIf inet proto icmp from  $IntIf:network to $IntIf  $IcmpPing   $UdpState $OpenSTO

### $IntIf ftp secure secure proxy for LAN
#anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
pass out log on $IntIf inet proto tcp  from $IntIf to $IntIf:network $TcpState
pass out log on $IntIf inet proto udp  from $IntIf to $IntIf:network $UdpState
pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network $UdpState


############# END of FreeBSD pf.conf https://calomel.org #######################

 

[usdmatt]

Do you have an lo1 interface, and does it have an IP address assigned to it?

 

[fred974]

Hi usdmatt,
Sorry for the delay in replying..
Yes I do have a lo1 interface and in the /etc/rc.conf file look like this:

cloned_interfaces="${cloned_interfaces} lo1"                  # allows loopback isolation in the jail
ifconfig_xn0_alias0="inet 10.8.20.10 netmask 255.255.255.255" # website www.mydomain.com
ifconfig_xn0_alias1="inet 10.8.20.11 netmask 255.255.255.255" # web proxy server
ifconfig_xn0_alias2="inet 10.8.20.12 netmask 255.255.255.255" # database server
ifconfig_xn0_alias3="inet 10.8.20.13 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias4="inet 10.8.20.14 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias5="inet 10.8.20.15 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias6="inet 10.8.20.16 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias7="inet 10.8.20.17 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias8="inet 10.8.20.18 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias9="inet 10.8.20.19 netmask 255.255.255.255" # unallocated

$ ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=503<RXCSUM,TXCSUM,TSO4,LRO>
  ether c2:18:25:b1:02:6f
  inet 208.95.3.6 netmask 0xffffff80 broadcast 208.95.3.127
  inet 10.8.20.10 netmask 0xffffffff broadcast 10.8.20.10
  inet 10.8.20.11 netmask 0xffffffff broadcast 10.8.20.11
  inet 10.8.20.12 netmask 0xffffffff broadcast 10.8.20.12
  inet 10.8.20.13 netmask 0xffffffff broadcast 10.8.20.13
  inet 10.8.20.14 netmask 0xffffffff broadcast 10.8.20.14
  inet 10.8.20.15 netmask 0xffffffff broadcast 10.8.20.15
  inet 10.8.20.16 netmask 0xffffffff broadcast 10.8.20.16
  inet 10.8.20.17 netmask 0xffffffff broadcast 10.8.20.17
  inet 10.8.20.18 netmask 0xffffffff broadcast 10.8.20.18
  inet 10.8.20.19 netmask 0xffffffff broadcast 10.8.20.19
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet manual
  status: active
lo1: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

 

[kpa]

That won't work because at the time of the loading of the rules there is no IP address assigned to lo1 and lo1:network expands to nothing. Either assign the IP address(es) on lo1 directly in rc.conf(5) or look into using anchors that are filled with nat or filter rules at the jail startup using custom scripts that are launched with (for example) exec.prestart and exec.poststop options in the jail configuration.

 

[usdmatt]

Just adding to what kpa has already said,

Do you have an lo1 interface, and does it have an IP address assigned to it

The original error is fairly self explanatory - "no IP address found for lo1"
You're using rules that automatically cover the network range assigned to a specific interface. In order for pf(4) to do what you're asking, it needs to look at the IP addresses on lo1, to find out what networks the rule should cover. If it can't find any, it can't load that rule and will report an error.

You either need to configure an IP address on lo1, or find a way to use PF rules that don't specifically rely on that interface having an IP address assigned.

 

[SirDice]

Why are you binding your jails to lo1 and have the IP addresses bound to xn0? Either use lo1 and bind the addresses to it or use nx0 and bind the addresses to that. Don't use both.