[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: syntax differences



On Tue, Nov 09, 2004 at 09:11:08PM +0100, messmate wrote:
> "pass in on vr0 inet proto tcp from any to 192.168.12.15 port = 3128
> keep state"  and  
> "pass out on tun0 inet proto tcp from any to any port = www keep
> state"
> The rules here above seems ok.
> But this rule :
>  # Autorise SSH
> "pass in quick on xl0 proto tcp from $TRUST_IP to any port = 22 flags S
> keep state"  is followed by a syntax error and the '=' sign must be
> removed to solve it.
>  I don't know WHEN i've to use the '=' sign or not :(
It's not removal of the '=' that makes your third rule work. You must
have removed 'flags S' at the same time, and drawn the wrong conclusion.
'flags S' is invalid since a couple of releases. It used to mean 'SYN
must be set, all other flags must not be set'. The problem with this
construct is that many people using it were not aware of what other flags
might be legitimately set (like ECN), and they were breaking ECN.
For that reason, 'flags S' and any flags option which doesn't specify
the '/...' part is now invalid syntax. You'll have to specify the second
part. If you really mean 'only SYN but no other flag is set', use
  flags S/FSRPAUEW
If, on the other hand, you mean 'SYN set, other flags don't matter', use
  flags S/S
Most people want to match the initial SYN, which should be
  flags S/SA
If you've copied the rule from an example, try to contact the maintainer
of the example to change it or add a note about it.
Daniel