Re: ext_if, int_if?
Sergey Prisyazhniy [EMAIL PROTECTED] writes:
Yes, Luca :). The think is, that I want, for example, to setup remote
machines
via siteXYtools (also load to pf.conf).
And as you can get, I don't know anything about the remote NIC's, so in
this case
I wana make fully automatical process... :)
as I said earlier, if your requirements can be satisfied by a rule set
where you do not specify which specific interface the filtering
happens, you're OK.
For example, your definition of 'the local net' does not need to be
$int_if:network, it could equally well be 'localnet = 194.54.103.64/26'
or somesuch, with rules like
localnet = 194.54.103.64/26
client_out = { ssh, domain, pop3, auth, nntp, http, https }
block all
pass inet proto tcp from $localnet to any port $client_out \
flags S/SA keep state
pass inet proto tcp from any to $localnet port ssh flags S/SA keep state
I have a semi-rant about these things in the tutorial[1], which I
probably will be accused of plugging quite shamelessly at this point.
[1] http://home.nuug.no/~peter/pf/, specifically about these matters at
http://home.nuug.no/~peter/pf/en/basicgw.html#GWPITFALLS and
http://home.nuug.no/~peter/pf/en/whatsyourlocalnet.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Re: ext_if, int_if?
On Thu, Nov 30, 2006 at 04:00:37PM +, Karl O. Pinc wrote: The clean solution would be if pf had some sort of #include mechanisim. Then the macros that abstract the interfaces could be written into include-ed files and everything else would be sane. pfctl -D int_if=foo -f /etc/pf.conf or even pfctl -D int_if=`grep-o-matic` -f /etc/pf.conf comes to mind. You can also use interface groups, even as a degenerate case where each interface is in its own group, (ab)using the group name as a functional interface name, then reference only interface groups in pf.conf. Many options, all less work than adding features to pfctl ;) Daniel
Re: ext_if, int_if?
On 11/30/2006 04:25:12 AM, Sergey Prisyazhniy wrote: Yes, Luca :). The think is, that I want, for example, to setup remote machines via siteXYtools (also load to pf.conf). And as you can get, I don't know anything about the remote NIC's, so in this case I wana make fully automatical process... :) This relates to a problem I have, carp failover of 2 firewalls that do not have identical nics. Normally, changing the macros in /etc/pf.conf is no big deal, but in this case you're faced with maintaining almost-duplicate pf.conf files on two boxes, files that differ only in the nic cards used. This is a pain. (OTOH, _duplicating_ pf.conf ie easy with rsync.) To think out loud here, suppose you custom configured /etc/hostname.if and added a description to the interfaces that indicate the purpose of each interface. What would be the right way to use that description to establish appropriate pf macros to abstract those interfaces? This would still require you know _something_ about the interfaces, but you'd at least have only one place to maintain the information. My inclination would be to activate pf manually in rc.local, after running awk on the output of ifconfig to find out the right device names, and then feeding the result to m4 to generate pf.conf from a m4 file. The flaw here is that any other sysadm coming in to look at pf.conf would hate me, even if the generated pf.conf file had a big warning at the top saying where to look for the real pf.conf file. The clean solution would be if pf had some sort of #include mechanisim. Then the macros that abstract the interfaces could be written into include-ed files and everything else would be sane. Anybody else have any ideas? Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re: ext_if, int_if?
On Wed, 2006-11-29 at 18:11 +0200, Sergey Prisyazhniy wrote: Hello guys, I have one little question: how can I automaticaly initialize pf rules without making subj interfaces specification in /etc/pf.conf by hands? Thank you very much for your help, Sergey. hint: pf.conf.rules ? dont know if I understand this correctly but: use macros in pf.conf int_if=fxp0 pass in on $int_if or use groups ifconfig fxp0 group internal pass in on internal HTH Luca
Re: ext_if, int_if?
On Wed, 2006-11-29 at 19:46 +0200, Sergey Prisyazhniy wrote: What if I don't know what drivers use ext_if or int_if? But steel :) I wana load rules... ; now hacking on /etc/rc for 'RULES=' (default) setups. Thank you a lot. Still don't understand what the goal is, but there is a default group 'egress'. You could do some parsing of ifconfig or dmesg output too I think. ciao Luca
Re: ext_if, int_if?
Regards, dont know if I understand this correctly but: use macros in pf.conf int_if=fxp0 pass in on $int_if or use groups ifconfig fxp0 group internal pass in on internal HTH Luca Ok, Luca, I know this :), but if I wana do something like this: I have the default instalation of OpenBSD -current and I want to do pfctl -e -f /etc/pf.conf with the rules only, without any macroses like int_if. Like remote setup, or something like that. What if I don't know what drivers use ext_if or int_if? But steel :) I wana load rules... The question is steel open? Thank you a lot. . . ; now hacking on /etc/rc for 'RULES=' (default) setups. Thank you a lot. -- apel-ripe
Re: ext_if, int_if?
Regards, dont know if I understand this correctly but: use macros in pf.conf int_if=fxp0 pass in on $int_if or use groups ifconfig fxp0 group internal pass in on internal HTH Luca Ok, Luca, I know this :), but if I wana do something like this: I have the default instalation of OpenBSD -current and I want to do pfctl -e -f /etc/pf.conf with the rules only, without any macroses like int_if. Like remote setup, or something like that. What if I don't know what drivers use ext_if or int_if? But steel :) I wana load rules... ? ; now hacking on /etc/rc for 'RULES=' (default) setups. Thank you a lot. -- apelsin
Re: ext_if, int_if?
Sergey Prisyazhniy [EMAIL PROTECTED] writes: how can I automaticaly initialize pf rules without making subj interfaces specification in /etc/pf.conf by hands? If your rules do not specifically need to be bound to any particular interface, you can write such things as block all pass from self to any keep state or pass from 10.12.14.0/24 to any port ssh keep state it's extremely flexible really. The reason you see interface name macros so often is that people tend to find them useful, but you can do without them entirely if you like, I suppose. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Re: ext_if, int_if?
On Wed, 2006-11-29 at 21:01 +0200, Sergey Prisyazhniy wrote: Like remote setup, or something like that. What if I don't know what drivers use ext_if or int_if? But steel :) I wana load rules... The question is steel open? Thank you a lot. . . Oh,ok, so you just need to have a custom ruleset to perform remote setups. Now I get it. I think Peter answered that one then. ciao Luca
