Every time I try to make some sensible pf
rules – I fail. Need someone to help me with the puzzling syntax and mechanics of pf
.
Here is my pf.conf:
1 # The name of our network interface as seen in `ifconfig`
2 ext_if="re0"
3 usb_if="ue0"
4 wlan_if="wlan0"
5 wlan_network = $wlan_if:network
6
7 all_ifs = "{" $ext_if $usb_if $wlan_if "}"
8
9 # Macros to define the set of TCP and UDP ports to open.
10 # Add additional ports or ranges separated by commas.
11 # UDP 60000-60010 is mosh control http://mosh.mit.edu/
12 tcp_services = "{ ssh, http, https, smtp, domain, www, pop3, auth, pop3s }"
13 udp_services = "{ 60000:60010, domain, ntp }"
14
15 # If you block all ICMP requests you will break things like path MTU
16 # discovery. These macros define allowed ICMP types. The additional
17 # ICMPv6 types are for neighbor discovery (RFC 4861)
18 icmp_types = "{echoreq, unreach}"
19 icmp6_types="{echoreq, unreach, 133, 134, 135, 136, 137}"
20
21 # send RST
22 set block-policy return
23
24 # log interface on cable->ISP
25 set loginterface $ext_if
26
27 # Exempt the loopback interface to prevent services utilizing the
28 # local loop from being blocked accidentally.
29 set skip on lo0
30
31 # normalize all incoming traffic
32 scrub in on $ext_if all fragment reassemble
33
34 # block and log everything by default
35 block return log on $ext_if all
36
37 # block anything coming from source we have no back routes for
38 block in from no-route to any
39
40 # block packets whose ingress interface does not match the one in
41 # the route back to their source address
42 block in from urpf-failed to any
43
44 # block and log outgoing packets that do not have our address as source,
45 # they are either spoofed or something is misconfigured (NAT disabled,
46 # for instance), we want to be nice and do not send out garbage.
47 block out log quick on $ext_if from ! 31.41.112.52 to any
48
49 # block and log incoming packets from reserved address space and invalid
50 # addresses, they are either spoofed or misconfigured, we cannot reply to 51 # them anyway (hence, no return-rst).
52 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12,
53 192.168.0.0/16, 255.255.255.255/32 } to any
54
55 # Enable antispoofing on all interfaces
56 antispoof quick for $all_ifs
57
58 # drop broadcast requests quietly.
59 block in quick on $all_ifs from any to 255.255.255.255
60
61 # ICMP
62
63 # pass out/in certain ICMP queries and keep state (ping)
64 # state matching is done on host addresses and ICMP id (not type/code),
65 # so replies (like 0/0 for 8/0) will match queries
66 # ICMP error messages (which always refer to a TCP/UDP packet) are
67 # handled by the TCP/UDP states
68 pass on $ext_if inet proto icmp all icmp-type 8 code 0
69
70 # UDP
71
72 # pass out all UDP connections and keep state
73 pass out on $ext_if proto udp all
74
75 # pass in certain UDP connections and keep state (DNS)
76 pass in on $ext_if proto udp from any to any port domain
77
78 # TCP
79
80 # pass out all TCP connections and modulate state
81 pass out on $ext_if proto tcp all modulate state
82
83 # pass in certain TCP connections and keep state
84 pass in on $ext_if proto tcp from any to any port $tcp_services
85
86 # IPv6
87 # pass in/out all IPv6 traffic: note that we have to enable this in two
88 # different ways, on both our physical interface and our tunnel
89 pass quick on $ext_if proto ipv6
90
91 # NAT on wi-fi
92 nat on $ext_if from $wlan_network to any -> ($ext_if)
93 pass from ($wlan_network) to any keep state
94
The error is :
/etc/pf.conf:92: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded
I have a wifi dongle connected, every now and then, to my laptop. The device is configured to be in access point state. So I can transfer my internet connection from laptop to other devices. What I want to do, is to pass packets to and from local wifi network to an external interface. I use NAT for that. When the dongle is connected, everything goes fine. But at most time it is not.
My thoughts are that, that since wifi dongle are not connected at a regular basis, there is no $wifi_network
. And since that, there is an error.
How can I solve the situation? In other words, how to make a pf
rule execute on a condition that I have a wifi network interfce?