PF Crazy errors

G

GamingArea

Code: 
interface = re0

## States and Types ##
icmp_types="icmp-type 8 code 0"
repo="{freebsd.org,FreeBSD.org,vuxml.freebsd.org,pkg.FreeBSD.org}"
mydomain="{gaming-area.ro}"
services="{80,3306}"
synstate="flags S/SA synproxy state"
tcpstate="modulate state"
udpstate="keep state"

## Stateful Tracking Options ##
openSTO="(max-src-nodes 10, max-src-states 10, max-src-conn 100, max-src-conn-rate 100/1, overload <bad_host> flush global)"
sshSTO="(max-src-nodes 10, max-src-states 10, max-src-conn 50, max-src-conn-rate 15/5, overload <fail2ban> flush global)"
httpSTO="(max-src-state 100, max-src-conn 500, max-src-conn-rate 500/1, overload <bad_host> flush global)"
udpSTO="(max-src-nodes 10, max-src-states 10, max-src-conn 100, max-src-conn-rate 100/1, overload <bad_host> flush global)"

## Table ##
table <private> persist counters file "/etc/private"
table <bad_host> persist counters file "/etc/bad_host"
table <fail2ban> persist

#################### OPTIONS ####################

## Misc Options ##
set skip on lo
set require-order no
set block-policy drop
set loginterface $interface
set optimization aggressive
set limit states 20000
set limit frags 20000

## Timeout ##
set timeout tcp.first 90
set timeout tcp.established 3600
set timeout udp.first 90
set timeout udp.single 90
set timeout udp.multiple 360
set timeout icmp.first 90
set timeout icmp.error 300
set timeout { adaptive.start 2000, adaptive.end 20000 }

#################### TRAFFIC NORMALIZATION ####################
scrub in on $interface all fragment reassemble
scrub in all no-df
scrub out all

#################### QUEUEING ####################

#################### TRANSLATION ####################

#################### BLOCKING SPOOFED TRAFFIC ####################
antispoof for $interface inet

#################### PACKET FILTERING ####################

## Default block drop on $interface ##
block in log on $interface all

## Block From Table ##
block drop quick log on $interface from <fail2ban> to any
block drop quick log on $interface from <bad_host> to any

##default packet outgoing ##
pass out log on $interface all
pass out quick log on $interface inet proto udp from any to any port 33433 >< 33626 $udpstate

## $interface incoming ##
pass in quick log on $interface proto {tcp,udp} from any to $interface port domain
pass in quick log on $interface proto {tcp,udp} from $repo to any
pass in quick log on $interface proto {tcp,udp} from <private> to $interface $tcpstate
pass in quick log on $interface proto {tcp,udp} from any to $mydomain $udpstate
pass in quick log on $interface proto tcp from any to $interface port 10050 $tcpstate
pass in log on $interface inet proto tcp from any to $interface port 22 $tcpstate $sshSTO
pass in log on $interface inet proto tcp from any to $interface port $services $synstate $httpSTO
pass in log on $interface inet proto icmp from any to $interface $icmp_types $udpstate $openSTO
pass in log on $interface inet proto udp from any to $interface $udpstate $udpSTO
pass in log on $interface inet proto tcp from any to $interface $synstate $openSTO


## $interface outgoing ##
pass out quick log on $interface proto {tcp,udp} from $interface to any port domain
pass out quick log on $interface proto {tcp,udp} from $interface to $repo
pass out quick log on $interface proto {tcp,udp} from $interface to <private> $tcpstate
pass out quick log on $interface proto {tcp,udp} from $interface to $mydomain $udpstate
pass out quick log on $interface proto tcp from any to $interface port 10050 $tcpstate
pass out log on $interface inet proto tcp from $interface  to any port 22 $tcpstate $sshSTO
pass out log on $interface inet proto tcp from $interface  to any port $services $synstate $httpSTO
pass out log on $interface inet proto icmp from $interface to any $icmp_types $udpstate $openSTO
pass out log on $interface inet proto udp from $interface to any $udpstate $udpSTO
pass out log on $interface inet proto tcp from $interface to any $tcpstate $openSTO

pfctl -vnf result:
Code: 
root@sv1:/usr/home/game # pfctl -vnf pf.rules
pf.rules:1: syntax error
pf.rules:4: syntax error
pf.rules:5: syntax error
pf.rules:6: syntax error
pf.rules:7: syntax error
pf.rules:8: syntax error
pf.rules:9: syntax error
pf.rules:10: syntax error
pf.rules:13: syntax error
pf.rules:14: syntax error
pf.rules:15: syntax error
pf.rules:16: syntax error
pf.rules:19: syntax error
pf.rules:20: syntax error
pf.rules:21: syntax error
set skip on { lo }
pf.rules:26: syntax error
set require-order no
pf.rules:27: syntax error
set block-policy drop
pf.rules:28: syntax error
pf.rules:29: macro 'interface' not defined
pf.rules:29: syntax error
set limit states 20000
pf.rules:31: syntax error
set limit frags 20000
pf.rules:32: syntax error
set timeout tcp.first 90
pf.rules:35: syntax error
set timeout tcp.established 3600
pf.rules:36: syntax error
set timeout udp.first 90
pf.rules:37: syntax error
set timeout udp.single 90
pf.rules:38: syntax error
set timeout udp.multiple 360
pf.rules:39: syntax error
set timeout icmp.first 90
pf.rules:40: syntax error
set timeout icmp.error 300
pf.rules:41: syntax error
set timeout adaptive.start 2000
set timeout adaptive.end 20000
pf.rules:42: syntax error
pf.rules:45: macro 'interface' not defined
pf.rules:45: syntax error
pf.rules:47: syntax error
pf.rules:54: macro 'interface' not defined
pf.rules:54: syntax error
pf.rules:59: macro 'interface' not defined
pf.rules:59: syntax error
pf.rules:62: macro 'interface' not defined
pf.rules:62: syntax error
pf.rules:63: macro 'interface' not defined
pf.rules:66: macro 'interface' not defined
pf.rules:66: syntax error
pf.rules:67: macro 'interface' not defined
pf.rules:70: macro 'interface' not defined
pf.rules:70: syntax error
pf.rules:71: macro 'interface' not defined
pf.rules:72: macro 'interface' not defined
pf.rules:73: macro 'interface' not defined
pf.rules:74: macro 'interface' not defined
pf.rules:75: macro 'interface' not defined
pf.rules:76: macro 'interface' not defined
pf.rules:77: macro 'interface' not defined
pf.rules:78: macro 'interface' not defined
pf.rules:79: macro 'interface' not defined
pf.rules:83: macro 'interface' not defined
pf.rules:83: syntax error
pf.rules:84: macro 'interface' not defined
pf.rules:85: macro 'interface' not defined
pf.rules:86: macro 'interface' not defined
pf.rules:87: macro 'interface' not defined
pf.rules:88: macro 'interface' not defined
pf.rules:89: macro 'interface' not defined
pf.rules:90: macro 'interface' not defined
pf.rules:91: macro 'interface' not defined
pf.rules:92: macro 'interface' not defined

Installed Kernel on am64: (FreeBSD 9.2 64 bits)
Code: 
cd /usr/src/sys/amd64/conf
cp GENERIC NewKern && ee NewKern

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
device        pf
device        pflog
device        pfsync

cd ../../../
make buildkernel KERNCONF=NewKern&& make installkernel KERNCONF=NewKern
 
GamingArea said:
Code: 
interface = re0
Click to expand...
Nothing crazy. This is a syntax error. Most of the other errors are because of it.
Code: 
interface = "re0"
Code: 
set skip on lo
Click to expand...
Also an error as there is no interface lo. It's lo0.

Code: 
cd /usr/src/sys/amd64/conf
..
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
Click to expand...
Remove these. You do not want to run IPFW and PF.
 
You must log in or register to reply here.
Back
Top