Hello!
This was the first thing I checked.
But I think there was a deadly combo of two factors:
1) the continuation character
2) The nuance described in man pf.conf:
"Care should be taken when
commenting out multi-line text: the comment is effective until the end of
the entire block."
After continuous experimenting with the rules there are too many
commented lines mixed with real config blocks in my pf.conf.
I really have to do some cleaning.
Thank you everybody for all your help!
On Tue May 21 16:49:00 2024, Steve Williams wrote:
> A lot of Unix configuration files have an issue with the continuation
> character "\" IF THERE IS A SPACE AFTER IT!!
>
> Make sure that the \ is the last character on the line!
>
> S.
>
> On 20/05/2024 11:01 p.m., Maksim Rodin wrote:
> > I solved the problem by copying the entire rule block right after
> > the old one and commenting out the old one.
> >
> > New:
> > pass in on egress inet proto tcp to (egress) port $mail_ports \
> > keep state (max-src-conn 20, \
> > max-src-conn-rate 35/300, overload <bad_ips> \
> > flush global) \
> > rdr-to $mail_server
> >
> > Old:
> > pass in on egress inet proto tcp to (egress) \
> > port $mail_ports \
> > keep state (max-src-conn 20, \
> > max-src-conn-rate 35/300, overload <bad_ips> \
> > flush global) rdr-to $mail_server
> >
> > I only split one line and merged two other lines into one
> > but I think I did it correctly and I do not see any logical
> > changes in the block.
> >
> > I still cannot understand what happened because there were no
> > uncommented excess lines within the old block.
> >
> > Before copying the entire rule block I even occasionally made
> > a typo in the old rule and checked it with pfctl -nf /etc/pf.conf.
> > PF still did as if there were no block with the typo at all:
> >
> > pass in on egress inet proto tcp to (egress) \
> > pppport $mail_ports \
> > keep state (max-src-conn 20, \
> > max-src-conn-rate 35/300, overload <bad_ips> \
> > flush global) rdr-to $mail_server
> >
> >
> >
> > On Mon May 20 11:43:21 2024, Maksim Rodin wrote:
> > > Hello,
> > > I use OpenBSD 7.5 stable amd64.
> > > I uncommented an old rule and the corresponding macro in pf.conf
> > > which definitely worked when the
> > > machine was on version 7.3 and possibly 7.4.
> > >
> > > After that:
> > > pfctl -nf /etc/pf.conf shows nothing
> > > pfctl -f /etc/pf.conf shows nothing
> > > So Packet Filter seems to be happy with the config as a whole.
> > >
> > > pfctl -vvsr shows the old rules WITHOUT the uncommented one.
> > > pfctl -vvnf /etc/pf.conf warns that the uncommented macro
> > > used in the uncommented rule is NOT used.
> > >
> > > The output of pfctl -vvnf /etc/pf.conf is appended as
> > > pfctl_vvnf file
> > > The output of pfctl -vvsr is appended as
> > > pfctl_vvsr file
> > >
> > >
> > > Did I miss something when changing the configuration?
> > >
> > > The uncommented section 1 is:
> > > mail_ports = "{ submission imaps }"
> > >
> > > The uncommented section 2 is:
> > > pass in on egress inet proto tcp to (egress) \
> > > port $mail_ports \
> > > keep state (max-src-conn 20, \
> > > max-src-conn-rate 35/300, overload <bad_ips> \
> > > flush global) rdr-to $mail_server
> > >
> > >
> > > My whole pf.conf (all uncommented lines):
> > > int_if = "{ vether1 em1 em2 em3 }"
> > > table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 \
> > > 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 \
> > > 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
> > > }
> > > table <spamd-white> persist
> > > table <nospamd> persist file "/etc/mail/nospamd"
> > > table <bad_ips> persist file "/etc/pf/bad_ips"
> > >
> > > transmission_server = "192.168.1.65"
> > > mail_server = "192.168.1.171"
> > >
> > > mail_ports = "{ submission imaps }"
> > >
> > > block log all
> > > set limit table-entries 1000000
> > > set block-policy drop
> > > set syncookies adaptive (start 29%, end 15%)
> > > set skip on lo
> > >
> > > match in all scrub (no-df random-id max-mss 1440)
> > > match out on egress inet from (vether1:network) \
> > > to any nat-to (egress:0)
> > >
> > > block in quick on egress from <martians> to any
> > > block return out quick on egress from any to <martians>
> > > block quick from <bad_ips>
> > >
> > > pass out quick inet
> > > pass in on $int_if inet
> > >
> > > pass in on egress inet proto tcp \
> > > to (egress) port 22 keep state \
> > > (max-src-conn 2, max-src-conn-rate 2/300, \
> > > overload <bad_ips> flush global)
> > >
> > > pass in on egress inet proto { tcp udp } \
> > > to (egress) port domain keep state \
> > > (max-src-states 10) \
> > > rdr-to 127.0.0.1 port 8053
> > >
> > > pass in on $int_if inet proto { tcp udp } from \
> > > (vether1:network) to (egress) port domain
> > >
> > > pass in on egress inet proto { tcp udp } \
> > > to (egress) port 50000 \
> > > rdr-to $transmission_server
> > >
> > > pass in on egress inet proto tcp to (egress) \
> > > port $mail_ports \
> > > keep state (max-src-conn 20, \
> > > max-src-conn-rate 35/300, overload <bad_ips> \
> > > flush global) rdr-to $mail_server
> > >
> > > pass in on egress proto tcp to (egress) \
> > > port smtp divert-to 127.0.0.1 port spamd
> > > pass in on egress proto tcp from <nospamd> to (egress) \
> > > port smtp rdr-to $mail_server
> > > pass in log on egress proto tcp from <spamd-white> \
> > > to (egress) port smtp \
> > > rdr-to $mail_server
> > > pass out on egress proto tcp to (egress) port smtp
> > >
> > >
> > > --
> > > Best regards
> > > Maksim Rodin
> > > warning: macro 'mail_ports' not used
> > > Loaded 714 passive OS fingerprints
> > > int_if = "{ vether1 em1 em2 em3 }"
> > > table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
> > > 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 }
> > > table <spamd-white> persist
> > > table <nospamd> persist file "/etc/mail/nospamd"
> > > table <bad_ips> persist file "/etc/pf/bad_ips"
> > > transmission_server = "192.168.1.65"
> > > mail_server = "192.168.1.171"
> > > mail_ports = "{ submission imaps }"
> > > set limit table-entries 1000000
> > > set block-policy drop
> > > set syncookies adaptive (start 29%, end 15%)
> > > set skip on { lo }
> > > @0 block drop log all
> > > @1 match in all scrub (no-df random-id max-mss 1440)
> > > @2 match out on egress inet from (vether1:network:*) to any nat-to
> > > (egress:0:*) round-robin
> > > @3 block drop in quick on egress from <martians:0> to any
> > > @4 block return out quick on egress from any to <martians:0>
> > > @5 block drop quick from <bad_ips:0> to any
> > > @6 pass out quick inet all flags S/SA
> > > @7 pass in on vether1 inet all flags S/SA
> > > @8 pass in on em1 inet all flags S/SA
> > > @9 pass in on em2 inet all flags S/SA
> > > @10 pass in on em3 inet all flags S/SA
> > > @11 pass in on egress inet proto tcp from any to (egress:*) port = 22
> > > flags S/SA keep state (source-track rule, max-src-conn 2,
> > > max-src-conn-rate 2/300, overload <bad_ips> flush global, src.track 300)
> > > @12 pass in on egress inet proto tcp from any to (egress:*) port = 53
> > > flags S/SA keep state (source-track global, max-src-states 10) rdr-to
> > > 127.0.0.1 port 8053
> > > @13 pass in on egress inet proto udp from any to (egress:*) port = 53
> > > keep state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port
> > > 8053
> > > @14 pass in on vether1 inet proto tcp from (vether1:network:*) to
> > > (egress:*) port = 53 flags S/SA
> > > @15 pass in on em1 inet proto tcp from (vether1:network:*) to (egress:*)
> > > port = 53 flags S/SA
> > > @16 pass in on em2 inet proto tcp from (vether1:network:*) to (egress:*)
> > > port = 53 flags S/SA
> > > @17 pass in on em3 inet proto tcp from (vether1:network:*) to (egress:*)
> > > port = 53 flags S/SA
> > > @18 pass in on vether1 inet proto udp from (vether1:network:*) to
> > > (egress:*) port = 53
> > > @19 pass in on em1 inet proto udp from (vether1:network:*) to (egress:*)
> > > port = 53
> > > @20 pass in on em2 inet proto udp from (vether1:network:*) to (egress:*)
> > > port = 53
> > > @21 pass in on em3 inet proto udp from (vether1:network:*) to (egress:*)
> > > port = 53
> > > @22 pass in on egress inet proto tcp from any to (egress:*) port = 50000
> > > flags S/SA rdr-to 192.168.1.65
> > > @23 pass in on egress inet proto udp from any to (egress:*) port = 50000
> > > rdr-to 192.168.1.65
> > > @24 pass in on egress inet proto tcp from any to (egress:*) port = 25
> > > flags S/SA divert-to 127.0.0.1 port 8025
> > > @25 pass in on egress inet proto tcp from <nospamd:0> to (egress:*) port
> > > = 25 flags S/SA rdr-to 192.168.1.171
> > > @26 pass in log on egress inet proto tcp from <spamd-white:0> to
> > > (egress:*) port = 25 flags S/SA rdr-to 192.168.1.171
> > > @27 pass out on egress proto tcp from any to (egress:*) port = 25 flags
> > > S/SA
> > > @0 block drop log all
> > > [ Evaluations: 1331 Packets: 746 Bytes: 35871 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @1 match in all scrub (no-df random-id max-mss 1440)
> > > [ Evaluations: 1331 Packets: 21182 Bytes: 12745032 States:
> > > 19 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @2 match out on egress inet from (vether1:network:1) to any nat-to
> > > (egress:0:1) round-robin
> > > [ Evaluations: 1331 Packets: 20878 Bytes: 12693160 States:
> > > 14 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @3 block drop in quick on egress from <martians:9> to any
> > > [ Evaluations: 973 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @4 block return out quick on egress from any to <martians:9>
> > > [ Evaluations: 973 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @5 block drop quick from <bad_ips:8018> to any
> > > [ Evaluations: 1331 Packets: 157 Bytes: 9756 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @6 pass out quick inet all flags S/SA
> > > [ Evaluations: 1174 Packets: 21152 Bytes: 12742195 States:
> > > 19 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 215 ]
> > > @7 pass in on vether1 inet all flags S/SA
> > > [ Evaluations: 959 Packets: 21031 Bytes: 12722634 States:
> > > 17 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 170 ]
> > > @8 pass in on em1 inet all flags S/SA
> > > [ Evaluations: 959 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @9 pass in on em2 inet all flags S/SA
> > > [ Evaluations: 959 Packets: 54 Bytes: 8100 States:
> > > 1 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 18 ]
> > > @10 pass in on em3 inet all flags S/SA
> > > [ Evaluations: 959 Packets: 54 Bytes: 8910 States:
> > > 1 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 18 ]
> > > @11 pass in on egress inet proto tcp from any to (egress:1) port = 22
> > > flags S/SA keep state (source-track rule, max-src-conn 2,
> > > max-src-conn-rate 2/300, overload <bad_ips> flush global, src.track 300)
> > > [ Evaluations: 959 Packets: 19 Bytes: 3983 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 1 ]
> > > @12 pass in on egress inet proto tcp from any to (egress:1) port = 53
> > > flags S/SA keep state (source-track global, max-src-states 10) rdr-to
> > > 127.0.0.1 port 8053
> > > [ Evaluations: 599 Packets: 15 Bytes: 862 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 2 ]
> > > @13 pass in on egress inet proto udp from any to (egress:1) port = 53
> > > keep state (source-track global, max-src-states 10) rdr-to 127.0.0.1 port
> > > 8053
> > > [ Evaluations: 22 Packets: 3 Bytes: 194 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 1 ]
> > > @14 pass in on vether1 inet proto tcp from (vether1:network:1) to
> > > (egress:1) port = 53 flags S/SA
> > > [ Evaluations: 325 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @15 pass in on em1 inet proto tcp from (vether1:network:1) to (egress:1)
> > > port = 53 flags S/SA
> > > [ Evaluations: 149 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @16 pass in on em2 inet proto tcp from (vether1:network:1) to (egress:1)
> > > port = 53 flags S/SA
> > > [ Evaluations: 149 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @17 pass in on em3 inet proto tcp from (vether1:network:1) to (egress:1)
> > > port = 53 flags S/SA
> > > [ Evaluations: 131 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @18 pass in on vether1 inet proto udp from (vether1:network:1) to
> > > (egress:1) port = 53
> > > [ Evaluations: 240 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @19 pass in on em1 inet proto udp from (vether1:network:1) to (egress:1)
> > > port = 53
> > > [ Evaluations: 149 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @20 pass in on em2 inet proto udp from (vether1:network:1) to (egress:1)
> > > port = 53
> > > [ Evaluations: 149 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @21 pass in on em3 inet proto udp from (vether1:network:1) to (egress:1)
> > > port = 53
> > > [ Evaluations: 131 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @22 pass in on egress inet proto tcp from any to (egress:1) port = 50000
> > > flags S/SA rdr-to 192.168.1.65
> > > [ Evaluations: 727 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @23 pass in on egress inet proto udp from any to (egress:1) port = 50000
> > > rdr-to 192.168.1.65
> > > [ Evaluations: 20 Packets: 2 Bytes: 185 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 2 ]
> > > @24 pass in on egress inet proto tcp from any to (egress:1) port = 25
> > > flags S/SA divert-to 127.0.0.1 port 8025
> > > [ Evaluations: 619 Packets: 4 Bytes: 164 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 1 ]
> > > @25 pass in on egress inet proto tcp from <nospamd:20> to (egress:1) port
> > > = 25 flags S/SA rdr-to 192.168.1.171
> > > [ Evaluations: 1 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @26 pass in log on egress inet proto tcp from <spamd-white:1> to
> > > (egress:1) port = 25 flags S/SA rdr-to 192.168.1.171
> > > [ Evaluations: 1 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> > > @27 pass out on egress proto tcp from any to (egress:1) port = 25 flags
> > > S/SA
> > > [ Evaluations: 21 Packets: 0 Bytes: 0 States:
> > > 0 ]
> > > [ Inserted: uid 0 pid 13268 State Creations: 0 ]
> >
>
--
Best regards
Maksim Rodin
