Freebsd 10.1 +Ipfilter 5.1.2 parsing error

I am fiddling with a FreeBSD + Webmin setup, upgraded to today. The IPFilter settings "establish" okay, but after turning on the ipf rules, and re-entering the ipfilter screen in webmin, I get this instead:

error parsing IPF line block in quick on re0 inet from 192.168.0.0/16 to any at inet line 2 : remainder inet from 192.168.0.0/16 to any

Makes no difference as to what line 2 is, I can put anything there, and it still breaks the parser.

The ipf.rules file to line 2 is:

# Skip next rule for external interface
skip 1 in quick on re0 all
# Allow all traffic on internal interface
pass in quick all keep state
# Block some never allowed traffic
block in quick on re0 from 192.168.0.0/16 to any    #RFC 1918 private IP

Firewall itself is working fine, the blocks are blocking etc. Just can't see them in Webmin. I know FreeBSD 10.1 isn't supported (yet?) but figured if you decided to work on it, you would need to know this.

Status: 
Active

Comments

Can you post the line from the ipf.rules file that contains "block in quick on re0 inet from 192.168.0.0/16 to any" ? It doesn't look like the line number in the error message is correct..

Been fiddling with it, this is the current version:

pass out all keep state
skip 1 in quick on re0 all
pass in quick all keep state
block in quick on re0 from 192.168.0.0/16 to any
block in quick on re0 from 172.16.0.0/12 to any
block in quick on re0 from 10.0.0.0/8 to any
block in quick on re0 from 127.0.0.0/8 to any
block in quick on re0 from 0.0.0.0/8 to any
block in quick on re0 from 169.254.0.0/16 to any
block in quick on re0 from 192.0.2.0/24 to any
block in quick on re0 from 204.152.64.0/23 to any
block in quick on re0 from 224.0.0.0/3 to any
pass in quick proto icmp all icmp-type echo keep state
pass in quick proto icmp all icmp-type echorep keep state
pass in quick proto icmp all icmp-type unreach keep state
pass in quick proto icmp all icmp-type squench keep state
pass in quick proto icmp all icmp-type timex keep state
pass in quick proto icmp all icmp-type paramprob keep state
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 113 keep state
pass in quick proto tcp from any to any port = 10000 keep state
pass in quick proto tcp from any to any port = http keep state
pass in quick proto tcp from any to any port = https keep state
pass in quick proto tcp from any to any port = imap keep state
pass in quick proto tcp from any to any port = imaps keep state
pass in quick proto tcp from any to any port = pop3 keep state
pass in quick proto tcp from any to any port = pop3s keep state
pass in quick proto tcp from any to any port = 53 keep state
pass in quick proto udp from any to any port = 53 keep state
block in log first quick on re0 all

Here is the current error:

error parsing IPF line block in quick on re0 inet from 192.168.0.0/16 to any at inet line 2 : remainder inet from 192.168.0.0/16 to any

Really hates line 2, even when its not line 2... the "default" ruleset your script creates also does the same thing, at least if you choose the last one.

Extra: if you "service ipfilter stop" the ipfilter displays correctly in Webmin.

Odd that I don't see that line mentioned in the error anywhere in this file.

Can you also post the output from the commands ipfstat -i and ipfstat -o ?

root@vm02:~ # ipfstat -i
skip 1 in quick on re0 all
pass in quick all keep state
block in quick on re0 inet from 192.168.0.0/16 to any
block in quick on re0 inet from 172.16.0.0/12 to any
block in quick on re0 inet from 10.0.0.0/8 to any
block in quick on re0 inet from 127.0.0.0/8 to any
block in quick on re0 inet from 0.0.0.0/8 to any
block in quick on re0 inet from 169.254.0.0/16 to any
block in quick on re0 inet from 192.0.2.0/24 to any
block in quick on re0 inet from 204.152.64.0/23 to any
block in quick on re0 inet from 224.0.0.0/3 to any
pass in quick inet proto icmp from any to any icmp-type echo keep state
pass in quick inet proto icmp from any to any icmp-type echorep keep state
pass in quick inet proto icmp from any to any icmp-type unreach keep state
pass in quick inet proto icmp from any to any icmp-type squench keep state
pass in quick inet proto icmp from any to any icmp-type timex keep state
pass in quick inet proto icmp from any to any icmp-type paramprob keep state
pass in quick proto tcp from any to any port = ssh keep state
pass in quick proto tcp from any to any port = auth keep state
pass in quick proto tcp from any to any port = 10000 keep state
pass in quick proto tcp from any to any port = http keep state
pass in quick proto tcp from any to any port = https keep state
pass in quick proto tcp from any to any port = imap keep state
pass in quick proto tcp from any to any port = imaps keep state
pass in quick proto tcp from any to any port = pop3 keep state
pass in quick proto tcp from any to any port = pop3s keep state
pass in quick proto tcp from any to any port = domain keep state
pass in quick proto udp from any to any port = domain keep state
block in log first quick on re0 all
block return-icmp(port-unr) in quick inet from 218.87.111.107/32 to any

^ (last line is fail2ban inserted, new since the original post)

root@vm02:~ # ipfstat -o
pass out all keep state

Ok, that's the source of the error. I will fix Webmin in the next release to handle this format.

Automatically closed -- issue fixed for 2 weeks with no activity.

Version 1.760 (22nd June 2015)

This issue isn't fixed yet. Must have missed out somehow.

Damn, I thought I fixed this. Are you still getting the same error message?

This is the error now, I just skimmed it earlier, and assumed it was the same, but it is different than before. It is the same ruleset, I haven't touched it from before.

error parsing IPF line pass in quick inet proto icmp from any to any icmp-type echo keep state at proto line 11 : remainder proto icmp from any to any icmp-type echo keep state