Solved [PF] Blank lines <syntax errors>

youngunix · May 24, 2015

Hi all,

I've spent the past couple of days dealing with pf as it won't load the rulesets in pf.conf(5)(). I'm not sure why pfctl(8) complains about blank lines since the latter and comments should be ignored. Anyway, below is my pf.conf(5) file as it is right now and hope someone would shed some light on this issue or perhaps see something I'm failing to.

P.S.: First, I used editors/nano to create it, then tried editors/leafpad hoping it's something to do with spaces, but no luck.

Thank You,

Code:

#  
#   UNAME      = FreeBSD-10.1-STABLE  
#   ARCH      = x86_64(AMD64/Intel 64)
#   KERNEL      = GENERIC
#   PF SETTINGS    = DESKTOP
#   STATUS     = RULES NOT LOADING - SYNTAX ERRORS ON LINES 20 & 28
#        LINE 20: EMPTY!?
#        LINE 28: EMPTY!?

######################### MACROS #########################
ext_if="igb0"
#int_if=""
broken="224.0.0.22 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
  10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
  192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
  169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32"

######################### TABLES #########################
#table <spamd-white> persist
//LINE 20\\
######################### OPTIONS #########################
set loginterface $ext_if
set timeout interval
set ruleset-optimization basic
set optimization normal
set block-policy drop
set skip on lo0
//LINE 28\\
######################### TRAFFIC NORMALIZATION #########################
antispoof quick for ($ext_if)
match in all scrub (no-df max-mss 1440)
#scrub in $ext_if all fragment reassemble

######################### TRANSLATION #########################
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#   -> 127.0.0.1 port spamd

######################### PACKET FILTERING #########################
#anchor "ftp-proxy/*"
block out quick inet6 all
block in quick inet6 all
block in quick from { $broken urpf-failed no-route } to any
block in all

pass out quick on $ext_if inet keep state

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
#pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }

usdmatt · May 24, 2015

Is it possible it's parsing the multi line section where you have \ characters as a single line?
Bit of a stab in the dark, but it would mean the following lines are the ones it's complaining about:

Code:

set timeout interval
match in all scrub (no-df max-mss 1440)

I'm no PF expert, but looking round I get the impression a timeout figure should be specified on that first line. see the example at the bottom of http://www.openbsd.org/faq/pf/options.html.
The second line appears in the OpenBSD manual page, but it missing in the FreeBSD one. Is it possible that particular function isn't supported by the FreeBSD version of PF?

wblock@ · May 24, 2015

nano(1) has "automatic" support for CRLF line endings. Sometimes those extra carriage returns sneak in and cause problems without being visible. Use hd(1) on the file and look for the characteristic 0d 0a sequences.

youngunix · May 25, 2015

usdmatt said:
Is it possible it's parsing the multi line section where you have \ characters as a single line?
Bit of a stab in the dark, but it would mean the following lines are the ones it's complaining about:

Code:

set timeout interval match in all scrub (no-df max-mss 1440)

I'm no PF expert, but looking round I get the impression a timeout figure should be specified on that first line. see the example at the bottom of http://www.openbsd.org/faq/pf/options.html.
The second line appears in the OpenBSD manual page, but it missing in the FreeBSD one. Is it possible that particular function isn't supported by the FreeBSD version of PF?

I highly doubt that's the issue, but I tried your suggestions and no luck. OpenBSD's PF is not compatible (for some features) with FreeBSD's PF, I know there are discussions about this here and other places. So I followed the statement ordering in pf.conf(5). However, if I put "broken" macro in one line it will complain about line 19 (set timeout interval), if I revert it back, it will complain about the empty line 20.

youngunix · May 25, 2015

wblock@ said:
nano(1) has "automatic" support for CRLF line endings. Sometimes those extra carriage returns sneak in and cause problems without being visible. Use hd(1) on the file and look for the characteristic 0d 0a sequences.

I did the hex dump on the modified version (according to usdmatt's suggestions).

Code:

00000000  23 09 0a 23 09 55 4e 41  4d 45 20 09 09 3d 20 46  |#..#.UNAME ..= F|
00000010  72 65 65 42 53 44 2d 31  30 2e 31 2d 53 54 41 42  |reeBSD-10.1-STAB|
00000020  4c 45 09 0a 23 09 41 52  43 48 20 09 09 3d 20 78  |LE..#.ARCH ..= x|
00000030  38 36 5f 36 34 28 41 4d  44 36 34 2f 49 6e 74 65  |86_64(AMD64/Inte|
00000040  6c 20 36 34 29 20 0a 23  09 4b 45 52 4e 45 4c 20  |l 64) .#.KERNEL |
00000050  09 09 3d 20 47 45 4e 45  52 49 43 20 0a 23 09 50  |..= GENERIC .#.P|
00000060  46 20 53 45 54 54 49 4e  47 53 20 09 3d 20 44 45  |F SETTINGS .= DE|
00000070  53 4b 54 4f 50 20 0a 23  09 53 54 41 54 55 53 09  |SKTOP .#.STATUS.|
00000080  09 3d 20 52 55 4c 45 53  20 4e 4f 54 20 4c 4f 41  |.= RULES NOT LOA|
00000090  44 49 4e 47 20 2d 20 53  59 4e 54 41 58 20 45 52  |DING - SYNTAX ER|
000000a0  52 4f 52 53 20 4f 4e 20  4c 49 4e 45 53 20 32 30  |RORS ON LINES 20|
000000b0  20 26 20 32 38 0a 23 09  09 09 20 20 4c 49 4e 45  | & 28.#...  LINE|
000000c0  20 32 30 3a 20 45 4d 50  54 59 21 3f 0a 23 09 09  | 20: EMPTY!?.#..|
000000d0  09 20 20 4c 49 4e 45 20  32 38 3a 20 45 4d 50 54  |.  LINE 28: EMPT|
000000e0  59 21 3f 20 0a 0a 23 23  23 23 23 23 23 23 23 23  |Y!? ..##########|
000000f0  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 20  |############### |
00000100  4d 41 43 52 4f 53 20 23  23 23 23 23 23 23 23 23  |MACROS #########|
00000110  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |################|
00000120  0a 65 78 74 5f 69 66 20  3d 20 22 69 67 62 30 22  |.ext_if = "igb0"|
00000130  0a 23 69 6e 74 5f 69 66  20 3d 20 22 22 0a 62 72  |.#int_if = "".br|
00000140  6f 6b 65 6e 20 3d 20 22  32 32 34 2e 30 2e 30 2e  |oken = "224.0.0.|
00000150  32 32 20 31 32 37 2e 30  2e 30 2e 30 2f 38 2c 20  |22 127.0.0.0/8, |
00000160  31 39 32 2e 31 36 38 2e  30 2e 30 2f 31 36 2c 20  |192.168.0.0/16, |
00000170  31 37 32 2e 31 36 2e 30  2e 30 2f 31 32 2c 20 31  |172.16.0.0/12, 1|
00000180  30 2e 30 2e 30 2e 30 2f  38 2c 20 31 36 39 2e 32  |0.0.0.0/8, 169.2|
00000190  35 34 2e 30 2e 30 2f 31  36 2c 20 31 39 32 2e 30  |54.0.0/16, 192.0|
000001a0  2e 32 2e 30 2f 32 34 2c  20 31 39 32 2e 30 2e 32  |.2.0/24, 192.0.2|
000001b0  2e 30 2f 32 34 2c 20 31  39 38 2e 35 31 2e 31 30  |.0/24, 198.51.10|
000001c0  30 2e 30 2f 32 34 2c 20  32 30 33 2e 30 2e 31 31  |0.0/24, 203.0.11|
000001d0  33 2e 30 2f 32 34 2c 20  31 36 39 2e 32 35 34 2e  |3.0/24, 169.254.|
000001e0  30 2e 30 2f 31 36 2c 20  30 2e 30 2e 30 2e 30 2f  |0.0/16, 0.0.0.0/|
000001f0  38 2c 20 32 34 30 2e 30  2e 30 2e 30 2f 34 2c 20  |8, 240.0.0.0/4, |
00000200  32 35 35 2e 32 35 35 2e  32 35 35 2e 32 35 35 2f  |255.255.255.255/|
00000210  33 32 22 0a 0a 23 23 23  23 23 23 23 23 23 23 23  |32"..###########|
00000220  23 23 23 23 23 23 23 23  23 23 23 23 23 23 20 54  |############## T|
00000230  41 42 4c 45 53 20 23 23  23 23 23 23 23 23 23 23  |ABLES ##########|
00000240  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 0a  |###############.|
00000250  23 74 61 62 6c 65 20 3c  73 70 61 6d 64 2d 77 68  |#table <spamd-wh|
00000260  69 74 65 3e 20 70 65 72  73 69 73 74 0a 0a 23 23  |ite> persist..##|
00000270  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |################|
00000280  23 23 23 23 23 23 23 20  4f 50 54 49 4f 4e 53 20  |####### OPTIONS |
00000290  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |################|
000002a0  23 23 23 23 23 23 23 23  23 0a 73 65 74 20 74 69  |#########.set ti|
000002b0  6d 65 6f 75 74 20 69 6e  74 65 72 76 61 6c 0a 73  |meout interval.s|
000002c0  65 74 20 72 75 6c 65 73  65 74 2d 6f 70 74 69 6d  |et ruleset-optim|
000002d0  69 7a 61 74 69 6f 6e 20  62 61 73 69 63 0a 73 65  |ization basic.se|
000002e0  74 20 6f 70 74 69 6d 69  7a 61 74 69 6f 6e 20 6e  |t optimization n|
000002f0  6f 72 6d 61 6c 0a 73 65  74 20 6c 6f 67 69 6e 74  |ormal.set logint|
00000300  65 72 66 61 63 65 20 24  65 78 74 5f 69 66 0a 73  |erface $ext_if.s|
00000310  65 74 20 62 6c 6f 63 6b  2d 70 6f 6c 69 63 79 20  |et block-policy |
00000320  64 72 6f 70 0a 73 65 74  20 73 6b 69 70 20 6f 6e  |drop.set skip on|
00000330  20 6c 6f 30 0a 0a 23 23  23 23 23 23 23 23 23 23  | lo0..##########|
00000340  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 20  |############### |
00000350  54 52 41 46 46 49 43 20  4e 4f 52 4d 41 4c 49 5a  |TRAFFIC NORMALIZ|
00000360  41 54 49 4f 4e 20 23 23  23 23 23 23 23 23 23 23  |ATION ##########|
00000370  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 0a  |###############.|
00000380  61 6e 74 69 73 70 6f 6f  66 20 71 75 69 63 6b 20  |antispoof quick |
00000390  66 6f 72 20 28 24 65 78  74 5f 69 66 29 0a 6d 61  |for ($ext_if).ma|
000003a0  74 63 68 20 69 6e 20 61  6c 6c 20 73 63 72 75 62  |tch in all scrub|
000003b0  20 28 6e 6f 2d 64 66 20  6d 61 78 2d 6d 73 73 20  | (no-df max-mss |
000003c0  31 34 34 30 29 0a 23 73  63 72 75 62 20 69 6e 20  |1440).#scrub in |
000003d0  24 65 78 74 5f 69 66 20  61 6c 6c 20 66 72 61 67  |$ext_if all frag|
000003e0  6d 65 6e 74 20 72 65 61  73 73 65 6d 62 6c 65 0a  |ment reassemble.|
000003f0  0a 23 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |.###############|
00000400  23 23 23 23 23 23 23 23  23 23 20 54 52 41 4e 53  |########## TRANS|
00000410  4c 41 54 49 4f 4e 20 23  23 23 23 23 23 23 23 23  |LATION #########|
00000420  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |################|
00000430  0a 23 6e 61 74 2d 61 6e  63 68 6f 72 20 22 66 74  |.#nat-anchor "ft|
00000440  70 2d 70 72 6f 78 79 2f  2a 22 0a 23 72 64 72 2d  |p-proxy/*".#rdr-|
00000450  61 6e 63 68 6f 72 20 22  66 74 70 2d 70 72 6f 78  |anchor "ftp-prox|
00000460  79 2f 2a 22 0a 23 6e 61  74 20 6f 6e 20 24 65 78  |y/*".#nat on $ex|
00000470  74 5f 69 66 20 69 6e 65  74 20 66 72 6f 6d 20 21  |t_if inet from !|
00000480  28 24 65 78 74 5f 69 66  29 20 2d 3e 20 28 24 65  |($ext_if) -> ($e|
00000490  78 74 5f 69 66 3a 30 29  0a 23 72 64 72 20 70 61  |xt_if:0).#rdr pa|
000004a0  73 73 20 6f 6e 20 24 69  6e 74 5f 69 66 20 70 72  |ss on $int_if pr|
000004b0  6f 74 6f 20 74 63 70 20  74 6f 20 70 6f 72 74 20  |oto tcp to port |
000004c0  66 74 70 20 2d 3e 20 31  32 37 2e 30 2e 30 2e 31  |ftp -> 127.0.0.1|
000004d0  20 70 6f 72 74 20 38 30  32 31 0a 23 6e 6f 20 72  | port 8021.#no r|
000004e0  64 72 20 6f 6e 20 24 65  78 74 5f 69 66 20 70 72  |dr on $ext_if pr|
000004f0  6f 74 6f 20 74 63 70 20  66 72 6f 6d 20 3c 73 70  |oto tcp from <sp|
00000500  61 6d 64 2d 77 68 69 74  65 3e 20 74 6f 20 61 6e  |amd-white> to an|
00000510  79 20 70 6f 72 74 20 73  6d 74 70 0a 23 72 64 72  |y port smtp.#rdr|
00000520  20 70 61 73 73 20 6f 6e  20 24 65 78 74 5f 69 66  | pass on $ext_if|
00000530  20 70 72 6f 74 6f 20 74  63 70 20 66 72 6f 6d 20  | proto tcp from |
00000540  61 6e 79 20 74 6f 20 61  6e 79 20 70 6f 72 74 20  |any to any port |
00000550  73 6d 74 70 20 5c 0a 23  09 2d 3e 20 31 32 37 2e  |smtp \.#.-> 127.|
00000560  30 2e 30 2e 31 20 70 6f  72 74 20 73 70 61 6d 64  |0.0.1 port spamd|
00000570  0a 0a 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |..##############|
00000580  23 23 23 23 23 23 23 23  23 23 23 20 50 41 43 4b  |########### PACK|
00000590  45 54 20 46 49 4c 54 45  52 49 4e 47 20 23 23 23  |ET FILTERING ###|
000005a0  23 23 23 23 23 23 23 23  23 23 23 23 23 23 23 23  |################|
000005b0  23 23 23 23 23 23 0a 23  61 6e 63 68 6f 72 20 22  |######.#anchor "|
000005c0  66 74 70 2d 70 72 6f 78  79 2f 2a 22 0a 62 6c 6f  |ftp-proxy/*".blo|
000005d0  63 6b 20 6f 75 74 20 71  75 69 63 6b 20 69 6e 65  |ck out quick ine|
000005e0  74 36 20 61 6c 6c 0a 62  6c 6f 63 6b 20 69 6e 20  |t6 all.block in |
000005f0  71 75 69 63 6b 20 69 6e  65 74 36 20 61 6c 6c 0a  |quick inet6 all.|
00000600  62 6c 6f 63 6b 20 69 6e  20 71 75 69 63 6b 20 66  |block in quick f|
00000610  72 6f 6d 20 7b 20 24 62  72 6f 6b 65 6e 20 75 72  |rom { $broken ur|
00000620  70 66 2d 66 61 69 6c 65  64 20 6e 6f 2d 72 6f 75  |pf-failed no-rou|
00000630  74 65 20 7d 20 74 6f 20  61 6e 79 0a 62 6c 6f 63  |te } to any.bloc|
00000640  6b 20 69 6e 20 61 6c 6c  0a 0a 70 61 73 73 20 6f  |k in all..pass o|
00000650  75 74 20 71 75 69 63 6b  20 6f 6e 20 24 65 78 74  |ut quick on $ext|
00000660  5f 69 66 20 69 6e 65 74  20 6b 65 65 70 20 73 74  |_if inet keep st|
00000670  61 74 65 0a 0a 23 70 61  73 73 20 71 75 69 63 6b  |ate..#pass quick|
00000680  20 6f 6e 20 24 69 6e 74  5f 69 66 20 6e 6f 20 73  | on $int_if no s|
00000690  74 61 74 65 0a 23 61 6e  74 69 73 70 6f 6f 66 20  |tate.#antispoof |
000006a0  71 75 69 63 6b 20 66 6f  72 20 7b 20 6c 6f 20 24  |quick for { lo $|
000006b0  69 6e 74 5f 69 66 20 7d  0a 0a 23 70 61 73 73 20  |int_if }..#pass |
000006c0  69 6e 20 6f 6e 20 24 65  78 74 5f 69 66 20 70 72  |in on $ext_if pr|
000006d0  6f 74 6f 20 74 63 70 20  74 6f 20 28 24 65 78 74  |oto tcp to ($ext|
000006e0  5f 69 66 29 20 70 6f 72  74 20 73 73 68 0a 23 70  |_if) port ssh.#p|
000006f0  61 73 73 20 69 6e 20 6c  6f 67 20 6f 6e 20 24 65  |ass in log on $e|
00000700  78 74 5f 69 66 20 70 72  6f 74 6f 20 74 63 70 20  |xt_if proto tcp |
00000710  74 6f 20 28 24 65 78 74  5f 69 66 29 20 70 6f 72  |to ($ext_if) por|
00000720  74 20 73 6d 74 70 0a 23  70 61 73 73 20 6f 75 74  |t smtp.#pass out|
00000730  20 6c 6f 67 20 6f 6e 20  24 65 78 74 5f 69 66 20  | log on $ext_if |
00000740  70 72 6f 74 6f 20 74 63  70 20 66 72 6f 6d 20 28  |proto tcp from (|
00000750  24 65 78 74 5f 69 66 29  20 74 6f 20 70 6f 72 74  |$ext_if) to port|
00000760  20 73 6d 74 70 0a 23 70  61 73 73 20 69 6e 20 6f  | smtp.#pass in o|
00000770  6e 20 24 65 78 74 5f 69  66 20 69 6e 65 74 20 70  |n $ext_if inet p|
00000780  72 6f 74 6f 20 69 63 6d  70 20 66 72 6f 6d 20 61  |roto icmp from a|
00000790  6e 79 20 74 6f 20 28 24  65 78 74 5f 69 66 29 20  |ny to ($ext_if) |
000007a0  69 63 6d 70 2d 74 79 70  65 20 7b 20 75 6e 72 65  |icmp-type { unre|
000007b0  61 63 68 2c 20 72 65 64  69 72 2c 20 74 69 6d 65  |ach, redir, time|
000007c0  78 20 7d  |x }|
000007c3

tobik@ · May 25, 2015

Code:

--- pf.conf.orig	2015-05-25 07:27:37.437585000 +0200
+++ pf.conf	2015-05-25 07:27:58.452956000 +0200
@@ -20,15 +20,15 @@
 
 ######################### OPTIONS #########################
 set loginterface $ext_if
-set timeout interval
+set timeout interval 10
 set ruleset-optimization basic
 set optimization normal
 set block-policy drop
 set skip on lo0
 
 ######################### TRAFFIC NORMALIZATION #########################
+scrub in on $ext_if no-df max-mss 1440
 antispoof quick for ($ext_if)
-match in all scrub (no-df max-mss 1440)
 #scrub in $ext_if all fragment reassemble
 
 ######################### TRANSLATION #########################

The lines reported by PF were a little off... You were missing a number after set timeout interval and the match in all scrub syntax is AFAIK not supported by FreeBSD.

youngunix · May 25, 2015

tobik said:

Code:

--- pf.conf.orig    2015-05-25 07:27:37.437585000 +0200
+++ pf.conf    2015-05-25 07:27:58.452956000 +0200
@@ -20,15 +20,15 @@

######################### OPTIONS #########################
set loginterface $ext_if
-set timeout interval
+set timeout interval 10
set ruleset-optimization basic
set optimization normal
set block-policy drop
set skip on lo0

######################### TRAFFIC NORMALIZATION #########################
+scrub in on $ext_if no-df max-mss 1440
antispoof quick for ($ext_if)
-match in all scrub (no-df max-mss 1440)
#scrub in $ext_if all fragment reassemble

######################### TRANSLATION #########################

The lines reported by PF were a little off... You were missing a number after set timeout interval and the match in all scrub syntax is AFAIK not supported by FreeBSD.

Spot on, I missed the interval value and the match[..] option is only supported by OpenBSD's PF. However, pfctl(8) should be looked into for outputting misleading error messages. They completely threw me off of the real errors (infinite loop).
Anyway, thank you very much tobik, rules are now loaded without errors.

usdmatt · May 25, 2015

I highly doubt that's the issue, but I tried your suggestions and no luck.

My suggestion was that two lines were incorrect. One missing a timeout value and the other possibly not supported. Strange how a mention of those exact same two rules being incorrect was "spot on" a few posts later. Did you not read my post fully?

youngunix · May 26, 2015

usdmatt said:
My suggestion was that two lines were incorrect. One missing a timeout value and the other possibly not supported. Strange how a mention of those exact same two rules being incorrect was "spot on" a few posts later. Did you not read my post fully?

Chill, you didn't exactly explain why it was complaining about the two statements and I did take your advice and commented them out but it didn't work. Anyway, thank you for your contribution.