# PF Rules problem



## smokisergi (Mar 25, 2013)

Hi guys,

I have a problem with my rules on my pf firewall. I have this output when *I* try to start pf.

`/etc/rc.d/pf start`


```
/etc/pf.conf:33: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:34: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:35: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:43: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:44: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded
```

My pf.conf:


```
#########
## Macros
#########

ext_if="rl0"
hostaddr="192.xxx.x.xx"
tcp_pass="{ 80 22 25 53 110 123 587 631 8180 8005 10000 }"
udp_pass="{ 53 80 110 631 8180 587 8005 10000 }"

# Any host or range listed in this macro will be blocked
badguys="{ 62.201.220.136, 5.199.133.223, 220.191.161.221 }"
block all

#########
## Tables
#########

table <local> { 192.168.0/24 }
pass in quick from <local> to any keep state

#table <spamd-white> persist


##########
## Options
##########
set loginterface $ext_if
set optimization normal
set block-policy return
set require-order yes
set skip on lo


########################
## Traffic normalization
########################
scrub in all random-id fragment reassemble
scrub out all random-id fragment reassemble


#######################
## Bandwidth management
#######################


##############
## Translation
##############


##############
## Redirection
##############

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#rdr-anchor "relayd/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#anchor "relayd/*"


#######################################
## Packet filtering
## block and log everything by default
######################################

block log all


## DEBUG:
##  LOG Blocked Packets [uncomment above]:
##     block log all
##  VIEW LOG VIA:
##     tcpdump -n -e -ttt -i pflog0

### Theo's suggestions instead of pfstat
# systat pf 1
# and then use the right and left cursors to see additional
# interesting views
# this is also a good tool
# pfctl -s all


# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }

# block anything coming form source we have no back routes for
block in from no-route to any

# block packets whose ingress interface does not match the one
# the route back to their source address
block in from urpf-failed to any

# block and log outfoing packates that do not have our address source
# they are either spoofed or something is misconfigured (NAT disabled,
# for instance), we want to be nice and do not send out garbage
# block out log quick on $ext_if from ! 157.161.48.183 to any

# silently drop broadcasts (cable modem noise)
block in quick on $ext_if from any to 255.255.255.255



# block and log incoming packets from reserved address space and invalid
# addresses,they are either spoofed or misconfigured, we cannot reply to
# them anyway (hence, no return-rst).
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any



####################################################
## Only allow outgoing services which are sensable..
####################################################

# ICMP

# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
# pass out on $ext_if inet proto icmp all icmp-type 8 code 0

# UDP
# pass out certain UDP connections and keep state (DNS)
pass out on $ext_if proto udp to any port $udp_pass


# TCP
# pass out certain TCP connections and keep state (SSH, SMTP, DNS)
pass out on $ext_if proto tcp to any port $tcp_pass
```

I dont see what *I* need to change. Any suggestion?

Thanks,

Sergio


----------



## SirDice (Mar 25, 2013)

The order is wrong. Put all the options first, then your NAT and last your rules.


----------



## rupil (Mar 25, 2013)

You have block all under Macros, I don't think that should be there; block log all under Packet filtering is correct.


----------



## smokisergi (Mar 26, 2013)

Thanks @SirDice, it works now!


----------



## smokisergi (Mar 26, 2013)

Hi, 

Just working, but now I can't access ports, every port is closed. I'm a newbie on PF. Can you show me the lines that are blocking everything?

Thanks for your help.

Sergio


----------



## SirDice (Mar 26, 2013)

smokisergi said:
			
		

> Can you show me the lines who blocking everything?



Take your pick.


```
block all

{...}

block log all

{...}

block in from no-route to any

{...}

block in from urpf-failed to any

{...}

block in quick on $ext_if from any to 255.255.255.255

{...}

block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any
```


----------



## smokisergi (Mar 26, 2013)

Thanks SirDice

Block was at:

```
block log all
```

Here I commented "block log all" and included this

```
pass in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep state
```


```
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 } to any
```
My network is on 192.168.0.0/16

Now all work fine, if I should change other things can you tell me please.

Sergio


----------

