Сегодня столкнулся с проблемой настройки authpf
вроде все настройки зделал правильно (на других серверах работает но не ст такой конфигурацией pf). при авторизации получаю
/etc/authpf/users/test/authpf.rules:2: syntax error
pfctl: Syntax error in config file: pf rules not loaded
Unable to modify filters
Connection to 10.x.x.x closed.
Вот файл pf.conf
Код: Выделить всё
# $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# Macros: define common values, so they can be referenced and changed easily.
if="bge0" # replace with actual external interface name i.e., dc0
icmp_types = "{0,3,8,13,14,30}"
# Tables: similar to macros, but more flexible for many addresses.
table <ids_group> persist file "/etc/pf_table_ids_sensors"
table <MAIN_user> persist file "/etc/pf_table_users"
table <apcupsd_users> persist file "/etc/pf_table_apcupsd_users"
table <zabbix_clients> persist file "/etc/pf_table_zabbix_clients"
table <hobbit_clients> persist file "/etc/pf_table_hobbit_clients"
table <svn_users> persist file "/etc/pf_table_svn_users"
table <authpf_users> persist
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
### PROBLEM FOR RECIVE FILES FROM KHARKOV !!!!!!
###scrub in all fragment reassemble
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
pass quick on lo0 all
# pass icmp and administring
pass quick inet proto icmp all icmp-type $icmp_types keep state
###################
# SERVICES
# pass to ALL services from USER, SENSOR
pass quick on $if from <MAIN_user> to any keep state
pass quick on $if from <ids_group> to any keep state
# pass from user_SERVICES to
# pass from ALL to ( ssh )
#pass quick on $if proto tcp from any to port { 22 } keep state
pass quick on $if proto tcp from <apcupsd_users> to port { 3551 } keep state
# pass from ALL to ( https )
pass quick on $if proto tcp from any to port { 443 } keep state
# pass from CLIENTS to ( zabbix, hobbit )
pass quick on $if proto tcp from <zabbix_clients> to port { 10050, 10051 } keep state
pass quick on $if proto tcp from <hobbit_clients> to port { 1984 } keep state
# pass from USER to ( subversion )
pass quick on $if proto tcp from <svn_users> to port { 3690 } keep state
###################
# PROTECT
# protect ssh for crack password
pass in on $if proto tcp from any to port ssh keep state \
(max-src-conn 10, max-src-conn-rate 5/60, overload <hammering> flush)
pass in on $if proto tcp from <hammering> to port ssh probability 65%
###################
# ANOTHER
###pass in on $if proto tcp from <authpf_users> to port { smtp, imap } keep state
###################
# OUT
pass out on $if proto { tcp, udp, icmp } all keep state
###############################################
# AUTHPF
anchor "authpf/*" in on $if
###################
# END
Код: Выделить всё
if="bge0"
pass quick on $if proto tcp from $user_ip to port { 80 } keep stateПодскажите пожалуйста в чем может быть проблема
