Re: double NOT in rules is not working as expected
On Fri, Apr 08, 2011 at 01:19:59PM +0300, Bojidara Marinchovska wrote:
Hello,
netif=netif
test1=1.2.3.4
test2=2.3.4.5
block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks
the access from the IPs from test1 and test2 macros, BUT it should
block all other EXCEPT this ones
--
block in quick on $netif from {$test1, $test2} to x.x.x.x - this
rule works as expected
--
block in quick on $netif from {!$test1, $test2} to x.x.x.x - this
rule works as expected
This is complex for
block in quick on $netif from {!$test1} to x.x.x.x
--
block in quick on $netif from {$test1, !$test2} to x.x.x.x - this
rule works as expected
This is again complex for
block in quick on $netif from {!$test2} to x.x.x.x
I know example rule :
block in quick on $netif from {!$test1, !$test2} to x.x.x.x
can be replaced with:
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
This is wrong. It is expanded to:
block in quick on $netif from {!$test1} to x.x.x.x
block in quick on $netif from {!$test2} to x.x.x.x
and this is just a simple
block in quick on $netif to x.x.x.x
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
In the example I used macors, also tried with tables or direct
inserting IP addresses instead of using macros or tables, but it
does not work as expected
So it is possible to use {$test, $test1}, but isn't double
negation as following: {!$test1, !$test2} ?
--
:wq Claudio
Re: double NOT in rules is not working as expected
On 04/08/11 14:04, Claudio Jeker wrote:
On Fri, Apr 08, 2011 at 01:19:59PM +0300, Bojidara Marinchovska wrote:
Hello,
netif=netif
test1=1.2.3.4
test2=2.3.4.5
block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks
the access from the IPs from test1 and test2 macros, BUT it should
block all other EXCEPT this ones
--
block in quick on $netif from {$test1, $test2} to x.x.x.x - this
rule works as expected
--
block in quick on $netif from {!$test1, $test2} to x.x.x.x - this
rule works as expected
This is complex for
block in quick on $netif from {!$test1} to x.x.x.x
--
block in quick on $netif from {$test1, !$test2} to x.x.x.x - this
rule works as expected
This is again complex for
block in quick on $netif from {!$test2} to x.x.x.x
I know example rule :
block in quick on $netif from {!$test1, !$test2} to x.x.x.x
can be replaced with:
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
This is wrong. It is expanded to:
block in quick on $netif from {!$test1} to x.x.x.x
block in quick on $netif from {!$test2} to x.x.x.x
Hello,
It is not wrong but I cannot find it is possible to use negation with
AND ( something like block in quick from !{$a, $b, $c} ) and yes as it
is typed it will be produce exactly this ruleset you wrote.
So if rules in conf are defined as separated as ( not interpreted as
subrules )
block in quick on $netif from !$test1 to x.x.x.x
block in quick on $netif from !$test2 to x.x.x.x
why 1.2.3.4 it is blocked by the second rule. shouldn't be passed from
the first rule ? ( rules are read from top to bottom )
If test1 contains 1.2.3.4 and test2 contains 2.3.4.5 if I try to
establish connection from 2.3.4.5 to x.x.x.x it should be block by 1st
block rules which is as you already wrote:
block in quick on $netif from {!$test1} to x.x.x.x
but if I try to establish connection from 1.2.3.4 to x.x.x.x it should
not be blocked from the second rule and should be matched by the first one
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
and this is just a simple
block in quick on $netif to x.x.x.x
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
In the example I used macors, also tried with tables or direct
inserting IP addresses instead of using macros or tables, but it
does not work as expected
So it is possible to use {$test, $test1}, but isn't double
negation as following: {!$test1, !$test2} ?
Re: double NOT in rules is not working as expected
On 2011/04/08 15:42, Bojidara Marinchovska wrote:
It is not wrong but I cannot find it is possible to use negation with
AND ( something like block in quick from !{$a, $b, $c} ) and yes as
it is typed it will be produce exactly this ruleset you wrote.
So if rules in conf are defined as separated as ( not interpreted as
subrules )
block in quick on $netif from !$test1 to x.x.x.x
block in quick on $netif from !$test2 to x.x.x.x
let's fill in the macros because they really don't help.
block in quick on netif from !1.2.3.4 to x.x.x.x
block in quick on netif from !2.3.4.5 to x.x.x.x
why 1.2.3.4 it is blocked by the second rule. shouldn't be passed
from the first rule ? ( rules are read from top to bottom )
the first rule doesn't pass anything, it only blocks: it blocks
everything except for 1.2.3.4
so the only traffic which reaches the second rule is that from 1.2.3.4
the second rule doesn't pass anything, it only blocks: it blocks
everything except for 2.3.4.5
so the second rule is irrelevant because packets from 2.3.4.5 get
blocked at the first rule.
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
why do you want only 1 rule? isn't it clearer to use the two rules?
you might be able to do what you want with tables though, see the faq
about negation.
Re: double NOT in rules is not working as expected
On Fri, Apr 08, 2011 at 03:42:41PM +0300, Bojidara Marinchovska wrote:
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
While negating a list never does what you want, negating a table
does the expected:
table test const { 1.2.3.4, 2.3.4.5 }
block from ! test to x.x.x.x
The rule matches any source except 1.2.3.4 and 2.3.4.5.
See http://www.openbsd.org/faq/pf/tables.html for more examples.
Daniel
Re: double NOT in rules is not working as expected
Hello , thank you
But what I want is to negate list of ( list of tables, list of macros,
lists of IPs ), i.e
I want
table a const {1.2.3.4}
table b const {2.3.4.5}
table c const {3.4.5.6}
and
block from ! {a, b, c}
I explain in details in the last email
On 04/08/11 16:39, Daniel Hartmeier wrote:
On Fri, Apr 08, 2011 at 03:42:41PM +0300, Bojidara Marinchovska wrote:
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
While negating a list never does what you want, negating a table
does the expected:
tabletest const { 1.2.3.4, 2.3.4.5 }
block from !test to x.x.x.x
The rule matches any source except 1.2.3.4 and 2.3.4.5.
See http://www.openbsd.org/faq/pf/tables.html for more examples.
Daniel
Re: double NOT in rules is not working as expected
On 04/08/11 16:11, Stuart Henderson wrote:
On 2011/04/08 15:42, Bojidara Marinchovska wrote:
It is not wrong but I cannot find it is possible to use negation with
AND ( something like block in quick from !{$a, $b, $c} ) and yes as
it is typed it will be produce exactly this ruleset you wrote.
So if rules in conf are defined as separated as ( not interpreted as
subrules )
block in quick on $netif from !$test1 to x.x.x.x
block in quick on $netif from !$test2 to x.x.x.x
let's fill in the macros because they really don't help.
block in quick on netif from !1.2.3.4 to x.x.x.x
block in quick on netif from !2.3.4.5 to x.x.x.x
why 1.2.3.4 it is blocked by the second rule. shouldn't be passed
from the first rule ? ( rules are read from top to bottom )
the first rule doesn't pass anything, it only blocks: it blocks
everything except for 1.2.3.4
so the only traffic which reaches the second rule is that from 1.2.3.4
the second rule doesn't pass anything, it only blocks: it blocks
everything except for 2.3.4.5
so the second rule is irrelevant because packets from 2.3.4.5 get
blocked at the first rule.
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
why do you want only 1 rule? isn't it clearer to use the two rules?
you might be able to do what you want with tables though, see the faq
about negation.
Hello,
Thank you, yes my mistake about block , whole day looking at the 2 rules
...
As Claudio already wrote
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
As I can define with 1 rule for example
from { tableA, tableB }
I want to be able to use also
from ! { tableA, tableB}
Yes, it is clear ...
Yes, I wrote about negation in tables, there is enough examples of its
usage in the Book Of PF, but it is not what I need ( following KISS )
Anyway thank you all
I try to accomplish something which is correct to be done with no
firewall but with other software and I try to use as simple as possible
rules
I have 2 types of lists with IPs which I put in tables (because these
IPs changes often and I don't want to reload rules, it is easy to add
just the new IP address)
table lista persist file /somefile
table listb persist file /someotherfile
IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C,
D.D.D.D and E.E.E.E for example ( protocol, port )
IPs from list B have to be able to access for example only D.D.D.D and
E.E.E.E
# block access to A.A.A.A - C.C.C.C for all except listA
block in quick on $if inet proto protocol from ! lista to A.A.A.A...
port ...
# here I wanted to be able to use something like to allow listA and
listB to access D.D.D.D and E.E.E.E
block in quick on $if inet proto protocol from ! { lista, listb } to
D.D.D.D,... port ...
instead of using:
pass in quick on $if inet proto protocol from { lista, listb } to
D.D.D.D ... port ...
block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
Fwd: Re: double NOT in rules is not working as expected
Original Message
Subject:Re: double NOT in rules is not working as expected
Date: Fri, 08 Apr 2011 17:00:52 +0300
From: Bojidara Marinchovska quintesse...@bobi.gateit.net
To: Stuart Henderson s...@spacehopper.org
On 04/08/11 16:11, Stuart Henderson wrote:
On 2011/04/08 15:42, Bojidara Marinchovska wrote:
It is not wrong but I cannot find it is possible to use negation with
AND ( something like block in quick from !{$a, $b, $c} ) and yes as
it is typed it will be produce exactly this ruleset you wrote.
So if rules in conf are defined as separated as ( not interpreted as
subrules )
block in quick on $netif from !$test1 to x.x.x.x
block in quick on $netif from !$test2 to x.x.x.x
let's fill in the macros because they really don't help.
block in quick on netif from !1.2.3.4 to x.x.x.x
block in quick on netif from !2.3.4.5 to x.x.x.x
why 1.2.3.4 it is blocked by the second rule. shouldn't be passed
from the first rule ? ( rules are read from top to bottom )
the first rule doesn't pass anything, it only blocks: it blocks
everything except for 1.2.3.4
so the only traffic which reaches the second rule is that from 1.2.3.4
the second rule doesn't pass anything, it only blocks: it blocks
everything except for 2.3.4.5
so the second rule is irrelevant because packets from 2.3.4.5 get
blocked at the first rule.
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
why do you want only 1 rule? isn't it clearer to use the two rules?
you might be able to do what you want with tables though, see the faq
about negation.
Hello,
Thank you, yes my mistake about block , whole day looking at the 2 rules
...
As Claudio already wrote
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
As I can define with 1 rule for example
from {tableA,tableB }
I want to be able to use also
from ! {tableA,tableB}
Yes, it is clear ...
Yes, I wrote about negation in tables, there is enough examples of its
usage in the Book Of PF, but it is not what I need ( following KISS )
Anyway thank you all
I try to accomplish something which is correct to be done with no
firewall but with other software and I try to use as simple as possible
rules
I have 2 types of lists with IPs which I put in tables (because these
IPs changes often and I don't want to reload rules, it is easy to add
just the new IP address)
tablelista persist file /somefile
tablelistb persist file /someotherfile
IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C,
D.D.D.D and E.E.E.E for example ( protocol, port )
IPs from list B have to be able to access for example only D.D.D.D and
E.E.E.E
# block access to A.A.A.A - C.C.C.C for all except listA
block in quick on $if inet proto protocol from !lista to A.A.A.A...
port ...
# here I wanted to be able to use something like to allow listA and
listB to access D.D.D.D and E.E.E.E
block in quick on $if inet proto protocol from ! {lista,listb } to
D.D.D.D,... port ...
instead of using:
pass in quick on $if inet proto protocol from {lista,listb } to
D.D.D.D ... port ...
block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
Re: Fwd: Re: double NOT in rules is not working as expected
I really think this violates your intended KISS principle, and you
would be a lot better off by simply making a file that contains
/somefile and /someotherfile, and load all that into one a 3rd table to
be used when you want both, eg.
table listab persist file /someotherotherfile
block in quick on $if from ! listab to D.D.D.D...
However, another way to get the effect you want is:
pass in on $if from lista tag LISTAB
pass in on $if from listb tag LISTAB
block in quick on $if net from any to D.D.D.D ! tagged LISTAB
(you can use 'match' instead of 'pass' for the first 2 rules if you're
using a recent enough version of PF)
-Ryan
On Fri, Apr 08, 2011 at 06:39:47PM +0300, Bojidara Marinchovska wrote:
Yes, I wrote about negation in tables, there is enough examples of its
usage in the Book Of PF, but it is not what I need ( following KISS )
Anyway thank you all
I try to accomplish something which is correct to be done with no
firewall but with other software and I try to use as simple as possible
rules
I have 2 types of lists with IPs which I put in tables (because these
IPs changes often and I don't want to reload rules, it is easy to add
just the new IP address)
tablelista persist file /somefile
tablelistb persist file /someotherfile
IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C,
D.D.D.D and E.E.E.E for example ( protocol, port )
IPs from list B have to be able to access for example only D.D.D.D and
E.E.E.E
# block access to A.A.A.A - C.C.C.C for all except listA
block in quick on $if inet proto protocol from !lista to A.A.A.A...
port ...
# here I wanted to be able to use something like to allow listA and
listB to access D.D.D.D and E.E.E.E
block in quick on $if inet proto protocol from ! {lista,listb } to
D.D.D.D,... port ...
instead of using:
pass in quick on $if inet proto protocol from {lista,listb } to
D.D.D.D ... port ...
block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
