PF pf syntax error

JozanOfAstora

JozanOfAstora

Hi,

I am trying to follow this guide: https://www.vultr.com/docs/building-your-own-mail-server-with-freebsd-11
Unfortunately when copying the pf config and starting the daemon (or reloading the config with pfctl -f /usr/local/etc/pf.conf) I get this output:

Code: 
/usr/local/etc/pf.conf:27: syntax error
/usr/local/etc/pf.conf:29: syntax error
/usr/local/etc/pf.conf:35: Rules must be in order: options, normalization, queueing, translation, filtering
/usr/local/etc/pf.conf:60: port only applies to tcp/udp
/usr/local/etc/pf.conf:60: skipping rule due to errors
/usr/local/etc/pf.conf:60: rule expands to no valid combination
pfctl: Syntax error in config file: pf rules not loaded

Here are the concerned lines:
/usr/local/etc/pf.conf:27
Code: 
pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
        -> 127.0.0.1 port 25

/usr/local/etc/pf.conf:29
Code: 
rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
        -> 127.0.0.1 port 25

/usr/local/etc/pf.conf:35
Code: 
rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
            -> 127.0.0.1 port 8025

/usr/local/etc/pf.conf:60
Code: 
pass quick on $ext_if from any to any port http

My VPS is running FreeBSD 12.2-RELEASE.
I have little to no knowledge in firewalls, what did I do wrong?
 
JozanOfAstora said:
/usr/local/etc/pf.conf:27
Code: 
pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
-> 127.0.0.1 port 25
Click to expand...
'->' only with rdr, nat, binat: Here rdr is missing, and drop "quick" (see below).


JozanOfAstora said:
/usr/local/etc/pf.conf:29
Code: 
rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
-> 127.0.0.1 port 25
Click to expand...
rdr knows no 'quick'

Useful cheat sheet:
man pf.conf SECTION Grammar
 
VladiBG said:
is your $ext_if defined?
Click to expand...
Yes it is, here is my pf.conf, it is just a copy of the tutorial:
Code: 
## Set public interface ##
ext_if="vtnet0"
## set and drop IP ranges on the public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
            10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
            0.0.0.0/8, 240.0.0.0/4 }"
table <spamd> persist
table <spamd-allow> persist
# Allowed webmail services
#table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
# Pass spamd allow list
rdr pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
        -> 127.0.0.1 port 25
# Pass webmail servers
rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
        -> 127.0.0.1 port 25
# pass submission messages.
pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
# Pass unknown mail to spamd
rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
            -> 127.0.0.1 port 8025
## Blocking spoofed packets
antispoof quick for $ext_if
## Set default policy ##
block return in log all
block out all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
pass in inet proto tcp to $ext_if port ssh
# Allow Ping-Pong stuff. Be a good sysadmin
pass inet proto icmp icmp-type echoreq
# Open up imap/pop3 support
pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
# Allow outgoing traffic
pass out on $ext_if proto tcp from any to any modulate state
pass out on $ext_if proto udp from any to any keep state
#pass quick on $ext_if from any to any port http

getopt said:
'->' only with rdr, nat, binat: Here rdr is missing, and drop "quick" (see below).



rdr knows no 'quick'

Useful cheat sheet:
man pf.conf SECTION Grammar
Click to expand...

Thank you this fixed the syntax errors but I still get this error:

Code: 
/usr/local/etc/pf.conf:35: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

35 is this line:
Code: 
rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
            -> 127.0.0.1 port 8025
 
You must log in or register to reply here.
Back
Top