On 2016-03-29, Kapetanakis Giannis <[email protected]> wrote:
> On 29/03/16 20:24, Adam Smith wrote:
>> Thanks, Taru, your solution works.
>>
>> Adam
>>
>> --- [email protected] wrote:
>>
>> From: Letcher Ross <[email protected]>
>> To: [email protected]
>> Cc: OpenBSD Misc <[email protected]>
>> Subject: Re: Syntax error in pf rules
>> Date: Tue, 29 Mar 2016 08:55:32 -0700
>>
>> Per http://www.openbsd.org/faq/pf/macros.html
>>
>> It looks like your list should look like:
>>
>> vpnip = "{ 77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78,
>> 66.85.14.205, 54.201.110.154 }"
>>
>> Taru
>>
>> On Tue, Mar 29, 2016 at 8:45 AM, Adam Smith <[email protected]> wrote:
>
> You should better use a table and one rule than a list which will be
> expanded to 6 rules.
>
> table <vpnip> { 77.90.247.88, 112.119.192.26, 85.95.253.145,
> 31.210.111.78, 66.85.14.205, 54.201.110.154 }
> pass out quick on $wan proto tcp from any to <vpnip> port 443 keep state
With 6 addresses it will actually work due to the ruleset optimizer
collapsing them to a table, but you'll get very confused if you remove
one of the addresses as 5 *will* get expanded to multiple rules.
Compare:
echo 'pass from { 77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78,
66.85.14.205, 54.201.110.154 }' | pfctl -nvf -
echo 'pass from { 77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78,
66.85.14.205 }' | pfctl -nvf -
So yes it is definitely advisable to use an explicit table here.
