> will
> the following work? Does pf syntax allow this?
>
> BadTCPFlags="{ FUP, FUP/FUP, SF/SFRA, /SFRA, F/SFRA, U/SFRAU, P, \
> FS/FS, FSRPAU, /FSRPAU }"
>
> block in quick proto tcp all flags $BadTCPFlags
hi adam.
i made only a slight modification to this: namely inserted
'on fxp0' ( external iface ) between 'quick' and 'proto',
as i didn't want to decapitate my putty session; and pfctl yelled
at me with a syntax error. ( i had a new pf.conf with only your
lines above, to keep it clean ).
i tried reducing BadTCPFlags down to = "{ S/SA }", and that
also got an error.
so, the flags thing seems to not like the '"{' '}"' action,
as i just hardcoded that also into the line ( S/SA ) and it
bailed on me too.
i tried without the braces, and got the same. checked the
manpage:
flags = flags ( flag-set / flag-set | / flag-set )
flag-set = [ F ] [ S ] [ R ] [ P ] [ A ] [ U ] [ E ] [ W ]
i've noticed the pf.conf manpage is really good about letting
you know if you can get away with braces and things like that, they're
almost always in the sytax somewhere. to me, this means that
'flags' has a syntax of :
flags flag-set/flag-set
or
flags /flag-set
( where obviously flag-set is some combination of those letters )
if braces were chill, i'd expect to see something more like how
protoset and proto-list say: 'ok, put a name or a number, or a list',
and then defines a list as a string of names/numbers and mentions the
'[ , ]'. usually if i don't see a '[ , ]' in the construct somewhere,
i assume pfctl will yell at me.
so short answer, no, didn't work from over here.
jared.
