Re: double NOT in rules is not working as expected
On Fri, Apr 08, 2011 at 01:19:59PM +0300, Bojidara Marinchovska wrote: Hello, netif=netif test1=1.2.3.4 test2=2.3.4.5 block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks the access from the IPs from test1 and test2 macros, BUT it should block all other EXCEPT this ones -- block in quick on $netif from {$test1, $test2} to x.x.x.x - this rule works as expected -- block in quick on $netif from {!$test1, $test2} to x.x.x.x - this rule works as expected This is complex for block in quick on $netif from {!$test1} to x.x.x.x -- block in quick on $netif from {$test1, !$test2} to x.x.x.x - this rule works as expected This is again complex for block in quick on $netif from {!$test2} to x.x.x.x I know example rule : block in quick on $netif from {!$test1, !$test2} to x.x.x.x can be replaced with: pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x This is wrong. It is expanded to: block in quick on $netif from {!$test1} to x.x.x.x block in quick on $netif from {!$test2} to x.x.x.x and this is just a simple block in quick on $netif to x.x.x.x The {foo, bar} notation results in a OR operation so foo || bar. Now !foo || !bar with foo != bar is always true. In the example I used macors, also tried with tables or direct inserting IP addresses instead of using macros or tables, but it does not work as expected So it is possible to use {$test, $test1}, but isn't double negation as following: {!$test1, !$test2} ? -- :wq Claudio
Re: double NOT in rules is not working as expected
On 04/08/11 14:04, Claudio Jeker wrote: On Fri, Apr 08, 2011 at 01:19:59PM +0300, Bojidara Marinchovska wrote: Hello, netif=netif test1=1.2.3.4 test2=2.3.4.5 block in quick on $netif from {!$test1, !$test2} to x.x.x.x - blocks the access from the IPs from test1 and test2 macros, BUT it should block all other EXCEPT this ones -- block in quick on $netif from {$test1, $test2} to x.x.x.x - this rule works as expected -- block in quick on $netif from {!$test1, $test2} to x.x.x.x - this rule works as expected This is complex for block in quick on $netif from {!$test1} to x.x.x.x -- block in quick on $netif from {$test1, !$test2} to x.x.x.x - this rule works as expected This is again complex for block in quick on $netif from {!$test2} to x.x.x.x I know example rule : block in quick on $netif from {!$test1, !$test2} to x.x.x.x can be replaced with: pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x This is wrong. It is expanded to: block in quick on $netif from {!$test1} to x.x.x.x block in quick on $netif from {!$test2} to x.x.x.x Hello, It is not wrong but I cannot find it is possible to use negation with AND ( something like block in quick from !{$a, $b, $c} ) and yes as it is typed it will be produce exactly this ruleset you wrote. So if rules in conf are defined as separated as ( not interpreted as subrules ) block in quick on $netif from !$test1 to x.x.x.x block in quick on $netif from !$test2 to x.x.x.x why 1.2.3.4 it is blocked by the second rule. shouldn't be passed from the first rule ? ( rules are read from top to bottom ) If test1 contains 1.2.3.4 and test2 contains 2.3.4.5 if I try to establish connection from 2.3.4.5 to x.x.x.x it should be block by 1st block rules which is as you already wrote: block in quick on $netif from {!$test1} to x.x.x.x but if I try to establish connection from 1.2.3.4 to x.x.x.x it should not be blocked from the second rule and should be matched by the first one So the correct question is how to accomplish pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x with only 1 rule ? and this is just a simple block in quick on $netif to x.x.x.x The {foo, bar} notation results in a OR operation so foo || bar. Now !foo || !bar with foo != bar is always true. In the example I used macors, also tried with tables or direct inserting IP addresses instead of using macros or tables, but it does not work as expected So it is possible to use {$test, $test1}, but isn't double negation as following: {!$test1, !$test2} ?
Re: double NOT in rules is not working as expected
On 2011/04/08 15:42, Bojidara Marinchovska wrote: It is not wrong but I cannot find it is possible to use negation with AND ( something like block in quick from !{$a, $b, $c} ) and yes as it is typed it will be produce exactly this ruleset you wrote. So if rules in conf are defined as separated as ( not interpreted as subrules ) block in quick on $netif from !$test1 to x.x.x.x block in quick on $netif from !$test2 to x.x.x.x let's fill in the macros because they really don't help. block in quick on netif from !1.2.3.4 to x.x.x.x block in quick on netif from !2.3.4.5 to x.x.x.x why 1.2.3.4 it is blocked by the second rule. shouldn't be passed from the first rule ? ( rules are read from top to bottom ) the first rule doesn't pass anything, it only blocks: it blocks everything except for 1.2.3.4 so the only traffic which reaches the second rule is that from 1.2.3.4 the second rule doesn't pass anything, it only blocks: it blocks everything except for 2.3.4.5 so the second rule is irrelevant because packets from 2.3.4.5 get blocked at the first rule. So the correct question is how to accomplish pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x with only 1 rule ? why do you want only 1 rule? isn't it clearer to use the two rules? you might be able to do what you want with tables though, see the faq about negation.
Re: double NOT in rules is not working as expected
On Fri, Apr 08, 2011 at 03:42:41PM +0300, Bojidara Marinchovska wrote: So the correct question is how to accomplish pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x with only 1 rule ? While negating a list never does what you want, negating a table does the expected: table test const { 1.2.3.4, 2.3.4.5 } block from ! test to x.x.x.x The rule matches any source except 1.2.3.4 and 2.3.4.5. See http://www.openbsd.org/faq/pf/tables.html for more examples. Daniel
Re: double NOT in rules is not working as expected
Hello , thank you But what I want is to negate list of ( list of tables, list of macros, lists of IPs ), i.e I want table a const {1.2.3.4} table b const {2.3.4.5} table c const {3.4.5.6} and block from ! {a, b, c} I explain in details in the last email On 04/08/11 16:39, Daniel Hartmeier wrote: On Fri, Apr 08, 2011 at 03:42:41PM +0300, Bojidara Marinchovska wrote: So the correct question is how to accomplish pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x with only 1 rule ? While negating a list never does what you want, negating a table does the expected: tabletest const { 1.2.3.4, 2.3.4.5 } block from !test to x.x.x.x The rule matches any source except 1.2.3.4 and 2.3.4.5. See http://www.openbsd.org/faq/pf/tables.html for more examples. Daniel
Re: double NOT in rules is not working as expected
On 04/08/11 16:11, Stuart Henderson wrote: On 2011/04/08 15:42, Bojidara Marinchovska wrote: It is not wrong but I cannot find it is possible to use negation with AND ( something like block in quick from !{$a, $b, $c} ) and yes as it is typed it will be produce exactly this ruleset you wrote. So if rules in conf are defined as separated as ( not interpreted as subrules ) block in quick on $netif from !$test1 to x.x.x.x block in quick on $netif from !$test2 to x.x.x.x let's fill in the macros because they really don't help. block in quick on netif from !1.2.3.4 to x.x.x.x block in quick on netif from !2.3.4.5 to x.x.x.x why 1.2.3.4 it is blocked by the second rule. shouldn't be passed from the first rule ? ( rules are read from top to bottom ) the first rule doesn't pass anything, it only blocks: it blocks everything except for 1.2.3.4 so the only traffic which reaches the second rule is that from 1.2.3.4 the second rule doesn't pass anything, it only blocks: it blocks everything except for 2.3.4.5 so the second rule is irrelevant because packets from 2.3.4.5 get blocked at the first rule. So the correct question is how to accomplish pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x with only 1 rule ? why do you want only 1 rule? isn't it clearer to use the two rules? you might be able to do what you want with tables though, see the faq about negation. Hello, Thank you, yes my mistake about block , whole day looking at the 2 rules ... As Claudio already wrote The {foo, bar} notation results in a OR operation so foo || bar. Now !foo || !bar with foo != bar is always true. As I can define with 1 rule for example from { tableA, tableB } I want to be able to use also from ! { tableA, tableB} Yes, it is clear ... Yes, I wrote about negation in tables, there is enough examples of its usage in the Book Of PF, but it is not what I need ( following KISS ) Anyway thank you all I try to accomplish something which is correct to be done with no firewall but with other software and I try to use as simple as possible rules I have 2 types of lists with IPs which I put in tables (because these IPs changes often and I don't want to reload rules, it is easy to add just the new IP address) table lista persist file /somefile table listb persist file /someotherfile IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C, D.D.D.D and E.E.E.E for example ( protocol, port ) IPs from list B have to be able to access for example only D.D.D.D and E.E.E.E # block access to A.A.A.A - C.C.C.C for all except listA block in quick on $if inet proto protocol from ! lista to A.A.A.A... port ... # here I wanted to be able to use something like to allow listA and listB to access D.D.D.D and E.E.E.E block in quick on $if inet proto protocol from ! { lista, listb } to D.D.D.D,... port ... instead of using: pass in quick on $if inet proto protocol from { lista, listb } to D.D.D.D ... port ... block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
Fwd: Re: double NOT in rules is not working as expected
Original Message Subject:Re: double NOT in rules is not working as expected Date: Fri, 08 Apr 2011 17:00:52 +0300 From: Bojidara Marinchovska quintesse...@bobi.gateit.net To: Stuart Henderson s...@spacehopper.org On 04/08/11 16:11, Stuart Henderson wrote: On 2011/04/08 15:42, Bojidara Marinchovska wrote: It is not wrong but I cannot find it is possible to use negation with AND ( something like block in quick from !{$a, $b, $c} ) and yes as it is typed it will be produce exactly this ruleset you wrote. So if rules in conf are defined as separated as ( not interpreted as subrules ) block in quick on $netif from !$test1 to x.x.x.x block in quick on $netif from !$test2 to x.x.x.x let's fill in the macros because they really don't help. block in quick on netif from !1.2.3.4 to x.x.x.x block in quick on netif from !2.3.4.5 to x.x.x.x why 1.2.3.4 it is blocked by the second rule. shouldn't be passed from the first rule ? ( rules are read from top to bottom ) the first rule doesn't pass anything, it only blocks: it blocks everything except for 1.2.3.4 so the only traffic which reaches the second rule is that from 1.2.3.4 the second rule doesn't pass anything, it only blocks: it blocks everything except for 2.3.4.5 so the second rule is irrelevant because packets from 2.3.4.5 get blocked at the first rule. So the correct question is how to accomplish pass in quick on $netif from {$test1, $test2} to x.x.x.x block in quick on $netif from any to x.x.x.x with only 1 rule ? why do you want only 1 rule? isn't it clearer to use the two rules? you might be able to do what you want with tables though, see the faq about negation. Hello, Thank you, yes my mistake about block , whole day looking at the 2 rules ... As Claudio already wrote The {foo, bar} notation results in a OR operation so foo || bar. Now !foo || !bar with foo != bar is always true. As I can define with 1 rule for example from {tableA,tableB } I want to be able to use also from ! {tableA,tableB} Yes, it is clear ... Yes, I wrote about negation in tables, there is enough examples of its usage in the Book Of PF, but it is not what I need ( following KISS ) Anyway thank you all I try to accomplish something which is correct to be done with no firewall but with other software and I try to use as simple as possible rules I have 2 types of lists with IPs which I put in tables (because these IPs changes often and I don't want to reload rules, it is easy to add just the new IP address) tablelista persist file /somefile tablelistb persist file /someotherfile IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C, D.D.D.D and E.E.E.E for example ( protocol, port ) IPs from list B have to be able to access for example only D.D.D.D and E.E.E.E # block access to A.A.A.A - C.C.C.C for all except listA block in quick on $if inet proto protocol from !lista to A.A.A.A... port ... # here I wanted to be able to use something like to allow listA and listB to access D.D.D.D and E.E.E.E block in quick on $if inet proto protocol from ! {lista,listb } to D.D.D.D,... port ... instead of using: pass in quick on $if inet proto protocol from {lista,listb } to D.D.D.D ... port ... block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
Re: Fwd: Re: double NOT in rules is not working as expected
I really think this violates your intended KISS principle, and you would be a lot better off by simply making a file that contains /somefile and /someotherfile, and load all that into one a 3rd table to be used when you want both, eg. table listab persist file /someotherotherfile block in quick on $if from ! listab to D.D.D.D... However, another way to get the effect you want is: pass in on $if from lista tag LISTAB pass in on $if from listb tag LISTAB block in quick on $if net from any to D.D.D.D ! tagged LISTAB (you can use 'match' instead of 'pass' for the first 2 rules if you're using a recent enough version of PF) -Ryan On Fri, Apr 08, 2011 at 06:39:47PM +0300, Bojidara Marinchovska wrote: Yes, I wrote about negation in tables, there is enough examples of its usage in the Book Of PF, but it is not what I need ( following KISS ) Anyway thank you all I try to accomplish something which is correct to be done with no firewall but with other software and I try to use as simple as possible rules I have 2 types of lists with IPs which I put in tables (because these IPs changes often and I don't want to reload rules, it is easy to add just the new IP address) tablelista persist file /somefile tablelistb persist file /someotherfile IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C, D.D.D.D and E.E.E.E for example ( protocol, port ) IPs from list B have to be able to access for example only D.D.D.D and E.E.E.E # block access to A.A.A.A - C.C.C.C for all except listA block in quick on $if inet proto protocol from !lista to A.A.A.A... port ... # here I wanted to be able to use something like to allow listA and listB to access D.D.D.D and E.E.E.E block in quick on $if inet proto protocol from ! {lista,listb } to D.D.D.D,... port ... instead of using: pass in quick on $if inet proto protocol from {lista,listb } to D.D.D.D ... port ... block in quick on $if inet proto protocol from any to D.D.D.D ... port ...