Re: How to implement PF tables
On 7/30/06, jared r r spiegel <[EMAIL PROTECTED]> wrote: anywhere you can put a comma, you can also leave it out; pfctl(8) parses the rule the same. -- I had commas give me problems around 3.7. But you're right, it shouldn't give problems anymore.
Re: How to implement PF tables
> >tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec > > > >you need to seperate with "," to make that rule work. just to touch base on that, the brackets signify the comma is optional. ( not the first time i've seen a sugestion that someone needed to add/remove a comma for pf.conf ). anywhere you can put a comma, you can also leave it out; pfctl(8) parses the rule the same. -- jared [ openbsd 3.9-current GENERIC ( jun 22 ) // i386 ]
Re: How to implement PF tables
> i am structuring my first firewall server. I am having hard
times with
> the following building a tables that holds every IPv4 address but
> excludes a given range.
>
> My initial idea was:
>
> table { 0/0 !x.b.c/24 }
>
>
> But it is not acceptable.
>
> How would you handle that?
By default, any rule will match 0/0 by just using the "any" or "all"
keywords. Think about it.
So, may i get your words for:
table { any !x.b.c/24 }
No. Step back and think about this for a second. By default, any
filter rule will match *everything*. Example:
block in on $ext_if from any to any
(or)
block in on $ext_if all
Stop trying to shoehorn the entire internet into a table. You don't
need to. Use negation to block the bad stuff. Example:
table bad_hosts { 1.2.3.4 }
pass in on $ext_if from ! to $webserver port 80
Translated, this is the same as saying "pass in on my external
interface, any host *except* 1.2.3.4 to my webserver's port 80."
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: How to implement PF tables
So, may i get your words for:
table { any !x.b.c/24 }
Thanks.
On 7/30/06, Jason Dixon <[EMAIL PROTECTED]> wrote:
On Jul 30, 2006, at 3:50 AM, Gustavo Rios wrote:
> Hey folks,
>
> i am structuring my first firewall server. I am having hard times with
> the following building a tables that holds every IPv4 address but
> excludes a given range.
>
> My initial idea was:
>
> table { 0/0 !x.b.c/24 }
>
>
> But it is not acceptable.
>
> How would you handle that?
By default, any rule will match 0/0 by just using the "any" or "all"
keywords. Think about it.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: How to implement PF tables
On Jul 30, 2006, at 3:50 AM, Gustavo Rios wrote:
Hey folks,
i am structuring my first firewall server. I am having hard times with
the following building a tables that holds every IPv4 address but
excludes a given range.
My initial idea was:
table { 0/0 !x.b.c/24 }
But it is not acceptable.
How would you handle that?
By default, any rule will match 0/0 by just using the "any" or "all"
keywords. Think about it.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Re: How to implement PF tables
Dear Diehm,
thanks a lot for your time and cooperation. Best regards.
I would like a rule that match every single IPv4 address, except for a
given range.
I read somewhere 0/0 is not accepted, so:
table persists { 0/0 !a.b.c/24 }
should not work by pf. So, how could i have it implemented another way?
Thanks in advance.
On 7/30/06, Mischa Diehm <[EMAIL PROTECTED]> wrote:
Hi,
is it just the syntax you have problems with?
On Sun, Jul 30, 2006 at 04:50:46AM -0300, Gustavo Rios wrote:
> table { 0/0 !x.b.c/24 }
tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
you need to seperate with "," to make that rule work.
> But it is not acceptable.
by pf or in general are you looking for a different solution?
Mischa
