Solved: Negation in tables for packet filter
Erik Norgaard wrote:
I want to create two tables in my packet filter, the first should match
any valid public ip, so I created a table negating anything reserved:
table const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
Of course, I could do something different here, defining a table for
networks and negate it. The rest should be caught by the
filtering rules anyway to block non-routable packets.
I have three tables with
different registered hosts with different access levels, I want to
redirect unknown hosts to a page explaining what to do to get registered,
rdr on $wlan_if proto tcp from { $wlan_net ! ! ! } \
to port http -> 127.0.0.1 port 8000
This one is solved with:
no rdr on $wlan_if proto tcp from {} \
to port http
rdr on $wlan_if proto tcp from $wlan_net to ! \
port http -> 127.0.0.1 port 8000
However, it would be nice to know if the documentation is incorrect, or
there is a difference in how negation is treated in nat and filter
respectively.
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
smime.p7s
Description: S/MIME Cryptographic Signature
Re: Negation in tables for packet filter
I got this response off-list:
Lowell Gilbert wrote:
> Erik Norgaard <[EMAIL PROTECTED]> writes:
>
>> table const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
>>!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
>
> Think about it; this matches *everything*. All possible packets are
> in either !10/8 or !127/8. etc.
This is clear if tables are a simple or'ing of the entries, but the
documentation is somewhat confusing, they give this example
(http://www.openbsd.org/faq/pf/tables.html):
table { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
block in on dc0 all
pass in on dc0 from to any
* 172.16.50.5 - narrowest match is 172.16.0.0/16; packet matches the
table and will be passed
* 172.16.1.25 - narrowest match is !172.16.1.0/24; packet matches an
entry in the table but that entry is negated (uses the "!" modifier);
packet does not match the table and will be blocked
* 172.16.1.100 - exactly matches 172.16.1.100; packet matches the
table and will be passed
* 10.1.4.55 - does not match the table and will be blocked
so maybe I should add 0/0 to the above list?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
smime.p7s
Description: S/MIME Cryptographic Signature
Negation in tables for packet filter
Hi:
I want to create two tables in my packet filter, the first should match
any valid public ip, so I created a table negating anything reserved:
table const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
So with the above I should be able to correctly NAT anything going to
the internet and the rest should not be NAT'ed - either it is locally
routable or should be blocked.
nat on $dsn_if from {} \
to -> ($dsn_if)
This doesn't work as expected, instead I have to remove all negations in
the table and create a non-internet table and negate that in the nat
rule. Shouldn't they work equivalently? (I also want to use the
table in my filter rules, so I like to define a table).
The second should match unknown local hosts, I have three tables with
different registered hosts with different access levels, I want to
redirect unknown hosts to a page explaining what to do to get registered,
rdr on $wlan_if proto tcp from { $wlan_net ! ! ! } \
to port http -> 127.0.0.1 port 8000
This doesn't work either, the table is expanded to four rdr rules, and
they are applied before the nat - even if I place it after in the
ruleset, so I can't just remove the ! and have the rdr catch up
all that is not nat'ed in the previous nat-rule.
So, how do I create my nat rules so they work as expected - or that is,
that work as I want?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
smime.p7s
Description: S/MIME Cryptographic Signature
