5. Syntax error I don't understand

Syntax error I don't understand

  • D

    This issue seems to keep coming up for me. I've looked into it but I don't understand what is causing this error. I'm running the Oct 23rd snapshot of nanobsd i386 on an Alix board. I've had this on snapshots after Oct 14th. When it's booting up, something is killed while configuring the firewall.

    The following is from the bootup serial console:

    Creating symlinks......done.
External config loader 1.0 is now starting... ad0s3
Launching the init system... done.
Initializing............................. done.
Starting device manager (devd)...done.
Loading configuration......done.
Updating configuration...done.
Cleaning backup cache........done.
Setting up extended sysctls...done.
glxsb0: <amd geode="" lx="" security="" block="" (aes-128-cbc,="" rng)=""> mem 0xefff4000-0xefff7fff irq 9 at device 1.2 on pci0
Setting timezone...done.
Configuring loopback interface...done.
Starting Secure Shell Services...done.
Setting up polling defaults...done.
Setting up interfaces microcode...done.
Configuring loopback interface...dvr1: link state changed to DOWN
one.
Configuring LAGG interfaces...done.
Configuring VLAN interfaces...done.
Configuring QinQ interfaces...done.
Configuring WAN interface...vr1: link state changed to UP
pflog0: promiscuous mode enabled
Configuring firewall......done.
done.
Configuring LAN interface...vr0: link state changed to DOWN
done.
Syncing OpenVPN settings...tun1: changing name to 'ovpns1'
tun2: changing name to 'ovpns2'
ovpns1: link state changed to UP
done.
Starting syslog...ovpns2: link state changed to UP
done.
Configuring firewall......done.
Starting PFLOG...done.
Setting up gateway monitors...done.
Synchronizing user settings...done.
Starting webConfigurator...done.
Configuring CRON...done.
Starting NTP time client...done.
Starting DHCP service...done.
Starting DHCPv6 service...done.
Starting DNS forwarder...done.
Configuring firewall...Killed
Starting CRON... done.
Killed
Bootup complete</amd>

    After bootup is complete, I get a notice from the GUI

    [ There were error(s) loading the rules: /tmp/rules.debug:173: syntax errorpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [173]: pass in quick on $LAN inet6 from /64 to any keep state label USER_RULE: Default allow LAN IPv6 to any rule]

    The line from the notice is as follows:

    pass  in  quick  on $LAN inet6 from 2601:9:4d80:90:0:0:0:0/64 to any keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"

    The system logs only seem to have a few relevant entries:

    Oct 23 21:52:20 	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:173: syntax error pfctl: Syntax error in config file: pf rules not loaded'
Oct 23 21:52:20 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:173: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [173]: pass in quick on $LAN inet6 from /64 to any keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
Oct 23 21:52:20 	php: : There were error(s) loading the rules: /tmp/rules.debug:173: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [173]: pass in quick on $LAN inet6 from /64 to any keep state label "USER_RULE: Default allow LAN IPv6 to any rule"

    Any help on this would be appreciated. I don't think my setup is too complex. The only package I have installed is the OpenVPN client export. I have one site-to-site OpenVPN and another PKI road-warrior server. Plus about 19 firewall rules of which 13 are port forwards for the WAN. 3 rules for the LAN and 1 rule for OpenVPN. And 8 Outbound NAT rules. If there's any other info I should post, let me know.

    0
  • W

    The log extracts you posted give the rule in error as

    pass in quick on $LAN inet6 from /64 to any keep state label "USER_RULE: Default allow LAN IPv6 to any rule"

    which I expect has a syntax error in "/64" which is not an IP address/subnet.

    However you appear to claim the rule in error is

    pass  in  quick  on $LAN inet6 from 2601:9:4d80:90:0:0:0:0/64 to any keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"

    which doesn't have such syntax error.

    Are these two lines close together in /tmp/rules.debug?

    0
  • D

    That's just the thing though. It says the syntax error is on line 173 in /tmp/rules.debug

    I open vi for /tmp/rules.debug type 173G and it says:

    pass  in  quick  on $LAN inet6 from 2601:9:4d80:90:0:0:0:0/64 to any keep state  label "USER_RULE: Default allow LAN IPv6 to any rule"

    The Rule on line 172 for example says this:

    pass  in  quick  on $LAN inet from 192.168.112.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

    It's as though it's ignoring the 2601:9:4d80:90:0:0:0:0 part. Hence my confusion.

    Also, on a side note, vi on a 9600 BAUD link is quite amusing :)

    0
  • D

    I'm still not sure what the deal was with the syntax error. After rebooting it's gone.

    However, I still get the Configuring firewall…Killed thing during bootup. It turns out that if I have both of my OpenVPN servers enabled during bootup this will happen. Disabling one or both allows a clean bootup.

    Ever since that mysterious syntax error occurred, the RADVD never starts up on bootup. I have to manually enable it. How can I force it to start automatically at bootup?

    The DNS forwarder also does not respond to DNS queries on IPv6 anymore.

    At this point I may just reinstall. Hopefully all of this will go away.

    0
  • P

    Just cross-referencing the "Killed" problem - http://forum.pfsense.org/index.php/topic,54155.0.html - I have the same issue, usually when I have about 3 or more OpenVPN instances. Somewhere the startup must be running a bunch of things in parallel and running out of memory on the 256MB Alix. Once things are up, memory use is around 45%. The process that gets the "kill" is a bit random, so sometimes DHCP, DNS, one of the OpenVPN servers… is missing after startup. Someone has to use the GUI and restart whatever is dead in Status:Services.
    I really need to make time to understand the whole bootup flow and see how this could be fixed.

    0
  • D

    I wound up doing a clean install. With both VPNs the memory is around 65%. Having only 1 or 0 servers active seems to avoid any issues on the bootup. RADVD still doesn't start with bootup (is it just me that's seeing this?) and the DNS forwarder seems to not listen on the IPV6 LAN address.

    Connectivity works well enough once I start RADVD manually as the DNS forwarder listens on IPv4 still.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy