[pfSense Support] Re: 0.75.1 - php: There were error(s) loading the rules

[Scott Ullrich]

Same problem as reported a few hours ago.   Try the vpn.inc that I
asked the other person to try.

On 8/12/05, Wesley Joyce <[EMAIL PROTECTED]> wrote:
>  
>  
> 
> After disabling the default LAN rule I immediately got this notice.   
> 
>   
> 
> System log from web gui 
> 
> Aug 12 12:13:41 php: There were error(s) loading the rules:
> /tmp/rules.debug:108: syntax error /tmp/rules.debug:109: syntax error
> /tmp/rules.debug:110: syntax error /tmp/rules.debug:111: syntax error
> /tmp/rules.debug:112: syntax error /tmp/rules.debug:113: syntax error
> /tmp/rules.debug:114: syntax error pfctl: Syntax error in config file: pf
> rules not loaded - The line in question reads [108]: pass quick on xl1 proto
> esp from 146.226.152.86 to keep state label "IPSEC: esp proto" 
> 
>   
> 
>   
> 
> pfSense# cat notices 
> 
> a:2:{i:1123863221;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:462:"There
> were error(s) loading the rules: /tmp/rules.debug:108: syntax error 
> 
> /tmp/rules.debug:109: syntax error 
> 
> /tmp/rules.debug:110: syntax error 
> 
> /tmp/rules.debug:111: syntax error 
> 
> /tmp/rules.debug:112: syntax error 
> 
> /tmp/rules.debug:113: syntax error 
> 
> /tmp/rules.debug:114: syntax error 
> 
> pfctl: Syntax error in config file: pf rules not loaded The line in question
> reads [108]: pass quick on xl1 proto esp from 192.168.152.86 to  keep state
> label "IPSEC:  esp
> proto"";s:3:"url";s:0:"";s:8:"category";s:13:"Filter
> Reload";s:8:"priority";i:1;}i:1123863257;a:5:{s:2:"id";s:11:"filter_load";s:6:"notice";s:462:"There
> were error(s) loading the rules: /tmp/rules.debug:108: syntax error 
> 
> /tmp/rules.debug:109: syntax error 
> 
> /tmp/rules.debug:110: syntax error 
> 
> /tmp/rules.debug:111: syntax error 
> 
> /tmp/rules.debug:112: syntax error 
> 
> /tmp/rules.debug:113: syntax error 
> 
> /tmp/rules.debug:114: syntax error 
> 
> pfctl: Syntax error in config file: pf rules not loaded The line in question
> reads [108]: pass quick on xl1 proto esp from 192.168.152.86 to  keep state
> label "IPSEC:  esp
> proto"";s:3:"url";s:0:"";s:8:"category";s:13:"Filter
> Reload";s:8:"priority";i:1;}}pfSense# 
> 
>   
> 
>   
> 
> pfSense# cat rules.debug 
> 
> # System Aliases 
> 
> lan = "{ xl0  }" 
> 
> wan = "{ xl1  }" 
> 
> pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }" 
> 
> pppoe = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }" 
> 
> # User Aliases 
> 
>   
> 
> set loginterface xl1 
> 
> set loginterface xl0 
> 
> set optimization normal 
> 
>   
> 
> scrub on xl1 all 
> 
>   
> 
>   
> 
> nat-anchor "pftpx/*" 
> 
> nat-anchor "natearly/*" 
> 
> nat-anchor "natrules/*" 
> 
> nat on xl1 from 192.168.9.0/24 port 500 to any -> (xl1) port 500 
> 
> nat on xl1 from 192.168.9.0/24 to any -> (xl1) 
> 
> #SSH Lockout Table 
> 
> table <sshlockout> persist 
> 
>   
> 
>   
> 
> # spam table 
> 
> table <spamd> persist 
> 
>   
> 
>   
> 
> # Load balancing anchor - slbd updates 
> 
> rdr-anchor "slb" 
> 
> # FTP proxy 
> 
> rdr-anchor "pftpx/*" 
> 
> rdr on xl0 proto tcp from any to any port 21 -> 127.00.1 port 8021 
> 
>   
> 
>   
> 
>   
> 
> anchor "firewallrules" 
> 
>   
> 
> # loopback 
> 
> anchor "loopback" 
> 
> pass in quick on lo0 all label "pass loopback" 
> 
> pass out quick on lo0 all label "pass loopback" 
> 
>   
> 
> # package manager early specific hook 
> 
> anchor "packageearly" 
> 
>   
> 
>   
> 
> # carp 
> 
> anchor "carp" 
> 
>   
> 
> # enable ftp-proxy 
> 
> anchor "ftpproxy" 
> 
> anchor "pftpx/*" 
> 
> pass in quick on xl1 inet proto tcp from port 20 to (xl1) port > 49000 user
> proxy flags S/SA keep state label "FTP PROXY: PASV mode data connection" 
> 
>   
> 
> # allow access to DHCP server on LAN 
> 
> anchor "dhcpserverlan" 
> 
> pass in quick on xl0 proto udp from any port = 68 to 255.255.255.255 port =
> 67 label "allow access to DHCP server on LAN" 
> 
> pass in quick on xl0 proto udp from any port = 68 to 192.168.9.1 port = 67
> label "allow access to DHCP server on LAN" 
> 
> pass out quick on xl0 proto udp from 192.168.9.1 port = 67 to any port = 68
> label "allow access to DHCP server on LAN" 
> 
>   
> 
> # WAN spoof check 
> 
> anchor "wanspoof" 
> 
> block in log quick on xl1 from 192.168.9.0/24 to any label "WAN spoof check"
> 
>   
> 
> # allow our DHCP client out to the WAN 
> 
> # XXX - should be more restrictive 
> 
> # (not possible at the moment - need 'me' like in ipfw) 
> 
> anchor "wandhcp" 
> 
> pass out quick on xl1 proto udp from any port = 68 to any port = 67 label
> "allow dhcp client out wan" 
> 
> block in log quick on xl1 proto udp from any port = 67 to 192.168.9.0/24
> port = 68 label "allow dhcp client out wan" 
> 
> pass in quick on xl1 proto udp from any port = 67 to any port = 68 label
> "allow dhcp client out wan" 
> 
>   
> 
> # LAN/OPT spoof check (needs to be after DHCP because of broadcast
> addresses) 
> 
> antispoof for xl0 
> 
>   
> 
>   
> 
> # block anything from private networks on WAN interface 
> 
> anchor "spoofing" 
> 
> block in log quick on xl1 from 10.0.0.0/8 to any label "block private
> networks from wan block 10/8" 
> 
> block in log quick on xl1 from 127.0.0.0/8 to any label "block private
> networks from wan block 127/8" 
> 
> block in log quick on xl1 from 172.16.0.0/12 to any label "block private
> networks from wan block 172.16/12" 
> 
> block in log quick on xl1 from 192.168.0.0/16 to any label "block private
> networks from wan block 192.168/16" 
> 
> # Support for allow limiting of TCP connections by establishment rate 
> 
> anchor "limitingesr" 
> 
> table <virusprot> 
> 
>   
> 
> # let out anything from the firewall host itself and decrypted IPsec traffic
> 
> # pass out quick on xl1 all keep state label "let out anything from firewall
> host itself" 
> 
> # pass traffic from firewall -> out 
> 
> anchor "firewallout" 
> 
> pass out quick on xl1 all keep state label "let out anything from firewall
> host itself" 
> 
> pass out quick on xl0 all keep state label "let out anything from firewall
> host itself" 
> 
>   
> 
> # make sure the user cannot lock himself out of the webGUI or SSH 
> 
> anchor "anti-lockout" 
> 
> pass in quick from 192.168.9.0/24 to 192.168.9.1 keep state label
> "anti-lockout web rule" 
> 
>   
> 
> # SSH lockout 
> 
> block in log proto tcp from <sshlockout> to any port 22 label "sshlockout" 
> 
>   
> 
>   
> 
> # User-defined rules follow 
> 
> pass in quick on $wan proto tcp from { 192.168.0.0/16 } to any flags S/SA
> keep state  label "USER_RULE" 
> 
> pass in quick on $lan from 192.168.9.0/24 to any keep state  label
> "USER_RULE: Default LAN -> any" 
> 
>   
> 
> # VPN Rules 
> 
> pass quick on xl1 proto udp from 192.168.152.86 to  port = 500 keep state
> label "IPSEC:  udp" 
> 
> pass quick on xl1 proto udp from  to 192.168.152.86 port = 500 keep state
> label " udp" 
> 
> pass quick on xl1 proto esp from 192.168.152.86 to  keep state label "IPSEC:
>  esp proto" 
> 
> pass quick on xl1 proto esp from  to 192.168.152.86 keep state label "IPSEC:
>  esp proto" 
> 
> pass quick on xl1 proto ah from 192.168.152.86 to  keep state label "IPSEC: 
> ah proto" 
> 
> pass quick on xl1 proto ah from  to 192.168.152.86 keep state label "IPSEC: 
> ah proto" 
> 
> pass quick on xl0 from  to  # error -   keep state label "IPSEC:  " 
> 
> pass quick on xl0 from  # error -   to  keep state label "IPSEC:  " 
> 
>   
> 
> #---------------------------------------------------------------------------
> 
> # default rules (just to be sure) 
> 
> #---------------------------------------------------------------------------
> 
> block in log quick all label "Default block all just to be sure." 
> 
> block out log quick all label "Default block all just to be sure." 
> 
>   
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]