On Wed, 14 Jan 2004 09:11:42 -0600 "Slavov, Vasil" <[EMAIL PROTECTED]> wrote:
:I am trying to modify the following rule from the example :provided at the end of the packet filtering section of the :pf faq: :http://openbsd.org/faq/pf/filter.html : :block return in quick on $int_if proto tcp from ! 192.168.0.15 \ : to $int_if port ssh flags S/SA : :I want to put a list of IPs that should be able to ssh to the :int_if (by substituting "! 192.168.0.15" with $admin and :declaring admin = "{ !10.5.5.5, !10.4.4.4 }" Unfortunately, :it looks like because of the quick, this doesn't work (and the :quick is needed because of the following pass rules). Moving :this block rule after the following pass rules didn't help. Is :there something obvious that I am missing? : :Thanks, :Vasil : PF generates the following rules from that statement: ... block return in quick on $int_if proto tcp from ! 10.5.5.5 \ to $int_if port ssh flags S/SA block return in quick on $int_if proto tcp from ! 10.4.4.4 \ to $int_if port ssh flags S/SA ... So it ends up blocking everything. I think you want to use a table for negation lists. Err, now that I read your rules, I think the following would work better: ... block return all pass in on $int_if proto tcp from { 10.5.5.5, 10.4.4.4 } \ to $int_if port ssh flags S/SA ... (I assume you want only 10.5.5.5 and 10.4.4.4 to ssh into this machine) -- Endless Loop: n., see Loop, Endless. Loop, Endless: n., see Endless Loop. -- Random Shack Data Processing Dictionary
