[pfSense Support] 0.75.1 - php: There were error(s) loading the rules

[Wesley Joyce]

After disabling the default LAN rule I immediately got this notice.     System log from web gui Aug 12 12:13:41 php: There were error(s) loading the rules: /tmp/rules.debug:108: syntax error /tmp/rules.debug:109: syntax error /tmp/rules.debug:110: syntax error /tmp/rules.debug:111: syntax error /tmp/rules.debug:112: syntax error /tmp/rules.debug:113: syntax error /tmp/rules.debug:114: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [108]: pass quick on xl1 proto esp from 146.226.152.86 to keep state label "IPSEC: esp proto"     pfSense# cat notices a:2:{i:1123863221;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:462:"There were error(s) loading the rules: /tmp/rules.debug:108: syntax error /tmp/rules.debug:109: syntax error /tmp/rules.debug:110: syntax error /tmp/rules.debug:111: syntax error /tmp/rules.debug:112: syntax error /tmp/rules.debug:113: syntax error /tmp/rules.debug:114: syntax error pfctl: Syntax error in config file: pf rules not loaded The line in question reads [108]: pass quick on xl1 proto esp from 192.168.152.86 to  keep state label "IPSEC:  esp proto"";s:3:"url";s:0:"";s:8:"category";s:13:"Filter Reload";s:8:"priority";i:1;}i:1123863257;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:462:"There were error(s) loading the rules: /tmp/rules.debug:108: syntax error /tmp/rules.debug:109: syntax error /tmp/rules.debug:110: syntax error /tmp/rules.debug:111: syntax error /tmp/rules.debug:112: syntax error /tmp/rules.debug:113: syntax error /tmp/rules.debug:114: syntax error pfctl: Syntax error in config file: pf rules not loaded The line in question reads [108]: pass quick on xl1 proto esp from 192.168.152.86 to  keep state label "IPSEC:  esp proto"";s:3:"url";s:0:"";s:8:"category";s:13:"Filter Reload";s:8:"priority";i:1;}}pfSense#     pfSense# cat rules.debug # System Aliases lan = "{ xl0  }" wan = "{ xl1  }" pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }" pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }" # User Aliases   set loginterface xl1 set loginterface xl0 set optimization normal   scrub on xl1 all     nat-anchor "pftpx/*" nat-anchor "natearly/*" nat-anchor "natrules/*" nat on xl1 from 192.168.9.0/24 port 500 to any -> (xl1) port 500 nat on xl1 from 192.168.9.0/24 to any -> (xl1) #SSH Lockout Table table <sshlockout> persist     # spam table table <spamd> persist     # Load balancing anchor - slbd updates rdr-anchor "slb" # FTP proxy rdr-anchor "pftpx/*" rdr on xl0 proto tcp from any to any port 21 -> 127.00.1 port 8021       anchor "firewallrules"   # loopback anchor "loopback" pass in quick on lo0 all label "pass loopback" pass out quick on lo0 all label "pass loopback"   # package manager early specific hook anchor "packageearly"     # carp anchor "carp"   # enable ftp-proxy anchor "ftpproxy" anchor "pftpx/*" pass in quick on xl1 inet proto tcp from port 20 to (xl1) port > 49000 user proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection"   # allow access to DHCP server on LAN anchor "dhcpserverlan" pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN" pass in quick on xl0 proto udp from any port = 68 to 192.168.9.1 port = 67 label "allow access to DHCP server on LAN" pass out quick on xl0 proto udp from 192.168.9.1 port = 67 to any port = 68 label "allow access to DHCP server on LAN"   # WAN spoof check anchor "wanspoof" block in log quick on xl1 from 192.168.9.0/24 to any label "WAN spoof check"   # allow our DHCP client out to the WAN # XXX - should be more restrictive # (not possible at the moment - need 'me' like in ipfw) anchor "wandhcp" pass out quick on xl1 proto udp from any port = 68 to any port = 67 label "allow dhcp client out wan" block in log quick on xl1 proto udp from any port = 67 to 192.168.9.0/24 port = 68 label "allow dhcp client out wan" pass in quick on xl1 proto udp from any port = 67 to any port = 68 label "allow dhcp client out wan"   # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses) antispoof for xl0     # block anything from private networks on WAN interface anchor "spoofing" block in log quick on xl1 from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on xl1 from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on xl1 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on xl1 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" # Support for allow limiting of TCP connections by establishment rate anchor "limitingesr" table <virusprot>   # let out anything from the firewall host itself and decrypted IPsec traffic # pass out quick on xl1 all keep state label "let out anything from firewall host itself" # pass traffic from firewall -> out anchor "firewallout" pass out quick on xl1 all keep state label "let out anything from firewall host itself" pass out quick on xl0 all keep state label "let out anything from firewall host itself"   # make sure the user cannot lock himself out of the webGUI or SSH anchor "anti-lockout" pass in quick from 192.168.9.0/24 to 192.168.9.1 keep state label "anti-lockout web rule"   # SSH lockout block in log proto tcp from <sshlockout> to any port 22 label "sshlockout"     # User-defined rules follow pass in quick on $wan proto tcp from { 192.168.0.0/16 } to any flags S/SA keep state  label "USER_RULE" pass in quick on $lan from 192.168.9.0/24 to any keep state  label "USER_RULE: Default LAN -> any"   # VPN Rules pass quick on xl1 proto udp from 192.168.152.86 to  port = 500 keep state label "IPSEC:  udp" pass quick on xl1 proto udp from  to 192.168.152.86 port = 500 keep state label " udp" pass quick on xl1 proto esp from 192.168.152.86 to  keep state label "IPSEC:  esp proto" pass quick on xl1 proto esp from  to 192.168.152.86 keep state label "IPSEC:  esp proto" pass quick on xl1 proto ah from 192.168.152.86 to  keep state label "IPSEC:  ah proto" pass quick on xl1 proto ah from  to 192.168.152.86 keep state label "IPSEC:  ah proto" pass quick on xl0 from  to  # error -   keep state label "IPSEC:  " pass quick on xl0 from  # error -   to  keep state label "IPSEC:  "   #--------------------------------------------------------------------------- # default rules (just to be sure) #--------------------------------------------------------------------------- block in log quick all label "Default block all just to be sure." block out log quick all label "Default block all just to be sure."