Re: OpenBSD 5.5: question regarding pf syntax
On 28 Sep 2014, at 05:00, System Administrator ad...@bitwise.net wrote:
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have not
been able to find any example of this online or in the man pages. I
suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have tried
with and without enclosing the top two macros in the single quotes.
Your problem is not with the quotes but with the braces -- only one set
of braces is needed and accepted when defining a list.
Or turn ports into a table and put the macros for each interesting set of ports
into the table, and use the table in the rule etc.
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are for, I
can have smaller macros that I just add into the single macro which I
use in the pf rule. Instead of making a new rule for each application, I
can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot do?
Totally fine if the latter, I just want to make sure I am not missing
something silly with the syntax. :)
Warm regards,
Andrew
Re: OpenBSD 5.5: question regarding pf syntax
On 28 Sep 2014 at 8:44, Andy Lemin wrote:
On 28 Sep 2014, at 05:00, System Administrator ad...@bitwise.net
wrote:
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have
not been able to find any example of this online or in the man pages.
I suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have
tried with and without enclosing the top two macros in the single
quotes.
Your problem is not with the quotes but with the braces -- only one
set of braces is needed and accepted when defining a list.
Or turn ports into a table and put the macros for each interesting set
of ports into the table, and use the table in the rule etc.
Have you even tried this??? I'm quite certain that tables can only hold
various forms of IP addresses and, accordingly, be used in place of
source or destination *addresses* but not ports.
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are
for, I can have smaller macros that I just add into the single macro
which I use in the pf rule. Instead of making a new rule for each
application, I can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot do?
Totally fine if the latter, I just want to make sure I am not missing
something silly with the syntax. :)
Warm regards,
Andrew
Re: OpenBSD 5.5: question regarding pf syntax
On Sun, 28 Sep 2014 12:05:11 -0400, System Administrator
ad...@bitwise.net wrote:
On 28 Sep 2014 at 8:44, Andy Lemin wrote:
On 28 Sep 2014, at 05:00, System Administrator ad...@bitwise.net
wrote:
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have
not been able to find any example of this online or in the man
pages.
I suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have
tried with and without enclosing the top two macros in the single
quotes.
Your problem is not with the quotes but with the braces -- only one
set of braces is needed and accepted when defining a list.
Or turn ports into a table and put the macros for each interesting set
of ports into the table, and use the table in the rule etc.
Have you even tried this??? I'm quite certain that tables can only hold
various forms of IP addresses and, accordingly, be used in place of
source or destination *addresses* but not ports.
I must admit that now you say it, I don't think I have!
I use tables to hold many different macro's containing IP address groups
etc, but not ports.. Was pretty tired when I wrote that and didn't think to
question it
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are
for, I can have smaller macros that I just add into the single macro
which I use in the pf rule. Instead of making a new rule for each
application, I can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot
do?
Totally fine if the latter, I just want to make sure I am not
missing
something silly with the syntax. :)
Warm regards,
Andrew
Re: OpenBSD 5.5: question regarding pf syntax
andy wrote: I have what I hope is a simple syntax question for pf rules. BTW 3rd edition about to be released. The Book of PF In the third edition of The Book of PF (No Starch Press, Oct 2014, 248 pp., $34.95), author Peter N.M. Hansteen returns with more of the life-saving PF and BSD help that made the first two editions such a hit. With the help of this fast-paced, clear, instructional guide, readers will master the latest PF developments to build strong and secure networks better able to handle today's network demands. -- Jack Woehr # There's too much emphasis on things Box 51, Golden CO 80402 # like pawn structure in modern chess. http://www.softwoehr.com # Checkmate ends the game. - N. Short
Re: OpenBSD 5.5: question regarding pf syntax
2014-09-28 22:49 GMT+02:00 Jack Woehr jwo...@softwoehr.com: BTW 3rd edition about to be released. The ebook _has_ been released. :-) Best Martin
Re: OpenBSD 5.5: question regarding pf syntax
Thanks all! My actual issue was using braces more than once. To the last person
that replied -- that was precisely what I am trying to avoid, having a rule
defined for each set of ports!
Warm regards,
Andrew
Sent from my iPhone
On Sep 27, 2014, at 9:00 PM, System Administrator ad...@bitwise.net wrote:
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have not
been able to find any example of this online or in the man pages. I
suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have tried
with and without enclosing the top two macros in the single quotes.
Your problem is not with the quotes but with the braces -- only one set
of braces is needed and accepted when defining a list.
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are for, I
can have smaller macros that I just add into the single macro which I
use in the pf rule. Instead of making a new rule for each application, I
can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot do?
Totally fine if the latter, I just want to make sure I am not missing
something silly with the syntax. :)
Warm regards,
Andrew
Re: OpenBSD 5.5: question regarding pf syntax
On 27 Sep 2014 at 18:50, Andrew Lester wrote:
Hey guys,
I have what I hope is a simple syntax question for pf rules. I have not
been able to find any example of this online or in the man pages. I
suspect it is perhaps not possible. Basically I want to allow out
certain web services, with a simple rule like below:
pass out on em0 proto tcp from 192.168.1.0/24 port $ports to any
My trouble is with the $ports macro. Here's what I am trying to do:
$common= '{80,443,465,587,993}'
$games= '{5222,7778,28900}'
$ports= { $common $games }
NOTE: In my real config the macros are above the rule, and I have tried
with and without enclosing the top two macros in the single quotes.
Your problem is not with the quotes but with the braces -- only one set
of braces is needed and accepted when defining a list.
This way when I need to allow specific applications out, instead of
having a huge single macro where I will forget what the ports are for, I
can have smaller macros that I just add into the single macro which I
use in the pf rule. Instead of making a new rule for each application, I
can just add to the $ports macro.
pf however indicates that the $ports macro is not valid syntax.
Is this a syntax error on my part, or is this something pf cannot do?
Totally fine if the latter, I just want to make sure I am not missing
something silly with the syntax. :)
Warm regards,
Andrew
