Re: How to implement PF tables
On 7/30/06, jared r r spiegel <[EMAIL PROTECTED]> wrote: anywhere you can put a comma, you can also leave it out; pfctl(8) parses the rule the same. -- I had commas give me problems around 3.7. But you're right, it shouldn't give problems anymore.
Re: How to implement PF tables
> >tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec > > > >you need to seperate with "," to make that rule work. just to touch base on that, the brackets signify the comma is optional. ( not the first time i've seen a sugestion that someone needed to add/remove a comma for pf.conf ). anywhere you can put a comma, you can also leave it out; pfctl(8) parses the rule the same. -- jared [ openbsd 3.9-current GENERIC ( jun 22 ) // i386 ]
Re: How to implement PF tables
> i am structuring my first firewall server. I am having hard times with > the following building a tables that holds every IPv4 address but > excludes a given range. > > My initial idea was: > > table { 0/0 !x.b.c/24 } > > > But it is not acceptable. > > How would you handle that? By default, any rule will match 0/0 by just using the "any" or "all" keywords. Think about it. So, may i get your words for: table { any !x.b.c/24 } No. Step back and think about this for a second. By default, any filter rule will match *everything*. Example: block in on $ext_if from any to any (or) block in on $ext_if all Stop trying to shoehorn the entire internet into a table. You don't need to. Use negation to block the bad stuff. Example: table bad_hosts { 1.2.3.4 } pass in on $ext_if from ! to $webserver port 80 Translated, this is the same as saying "pass in on my external interface, any host *except* 1.2.3.4 to my webserver's port 80." HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: How to implement PF tables
So, may i get your words for: table { any !x.b.c/24 } Thanks. On 7/30/06, Jason Dixon <[EMAIL PROTECTED]> wrote: On Jul 30, 2006, at 3:50 AM, Gustavo Rios wrote: > Hey folks, > > i am structuring my first firewall server. I am having hard times with > the following building a tables that holds every IPv4 address but > excludes a given range. > > My initial idea was: > > table { 0/0 !x.b.c/24 } > > > But it is not acceptable. > > How would you handle that? By default, any rule will match 0/0 by just using the "any" or "all" keywords. Think about it. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: How to implement PF tables
On Jul 30, 2006, at 3:50 AM, Gustavo Rios wrote: Hey folks, i am structuring my first firewall server. I am having hard times with the following building a tables that holds every IPv4 address but excludes a given range. My initial idea was: table { 0/0 !x.b.c/24 } But it is not acceptable. How would you handle that? By default, any rule will match 0/0 by just using the "any" or "all" keywords. Think about it. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: How to implement PF tables
Dear Diehm, thanks a lot for your time and cooperation. Best regards. I would like a rule that match every single IPv4 address, except for a given range. I read somewhere 0/0 is not accepted, so: table persists { 0/0 !a.b.c/24 } should not work by pf. So, how could i have it implemented another way? Thanks in advance. On 7/30/06, Mischa Diehm <[EMAIL PROTECTED]> wrote: Hi, is it just the syntax you have problems with? On Sun, Jul 30, 2006 at 04:50:46AM -0300, Gustavo Rios wrote: > table { 0/0 !x.b.c/24 } tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec you need to seperate with "," to make that rule work. > But it is not acceptable. by pf or in general are you looking for a different solution? Mischa