PF Syntax error

S

SacamantecaS

Hi,

I have a firewall rule that I can not validate. As a rule blocking everything and want to allow the outputs of active connections, but rather than attempt to change the rule, I get "incorrect syntax" I searched online, but I find no difference to these rules. Does anyone see any error?.

Code: 
extif="em0"

webserver="X.X.X.1"
table <sshserver> const { X.X.X.2, X.X.X.5 }

table <privnets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

icmp_types="echoreq"

set block-policy drop
set loginterface $extif
set skip on lo0				

block in log all
#pass quick on lo0 all
block in quick from urpf-failed
antispoof log quick for $extif

# SSH
pass in on $extif proto tcp from any to <sshserver> port { 22 } keep state (max-src-conn-rate 3 / 60)

# DNS server
pass in on $extif proto tcp from any to <dnsserver> port domain flags S/SA modulate state 
pass in on $extif proto udp from any to <dnsserver> port domain keep state

# WebServer
pass in on $extif proto tcp from any to $webserver port { http, https } flags S/SA
pass in on $extif proto tcp from any to $webserver port { http, https } flags S/SA synproxy state

# ICMP
pass in inet proto icmp all icmp-type $icmp_types keep state

pass out on $extif proto ipv6 all
[color="Red"]#SSH disconnet pass out on $extif proto tcp all flags S/SA modulate state[/color]
pass out on $extif proto tcp all modulate state [B]#It replaces the previous rule, as I disconnected ssh and not let me connect[/B]
[color="Red"][B]# ERROR SYNTAX ERROR[/B]
pass out on $extif proto udp all modulate state
pass out on $extif all keep state
pass out on $extif from any to any keep state
pass out on $extif from proto udp any to any keep state
pass out on $extif proto udp from any to any 
pass out on $extif to inet
pass out on $extif proto { tcp udp icmp } all modulate state
pass out on $extif proto udp all modulate state
pass out on $extif proto all modulate state
pass out keep state
pass out on $extif proto { udp, icmp } all keep state
# End Syntax error[/color]

Any idea?. Thank you.

Regards
 
Hi,

Solved, think it is good when you're locked away from the computer :e. I've solved leaving below the last line, a line in a blank... Sorry for the inconvenience.

regards
 
You must log in or register to reply here.
Back
Top