[nycbug-talk] PF question: Can I make a const table made up of lists

Mark Saad nonesuch at bad-apples.org
Wed Mar 4 15:01:24 EST 2009 

Max Gribov wrote:
> Mark Saad wrote:
>> Hello All
>>    Here is my question; when using PF  can I create a const table 
>> made up of predefined lists.
>>   
>
> table <somename> persist file "/etc/sometable"
>
> sometable file would have one ip per line..
>
>
>
Could this also be done with a list of lists ?

 IE: NETGROUP_ALL = NETGROUP_SJL NETGROUP_LON NETGROUP_EWR NETGROUP_HKG 
NETGROUP_BACKUP

>> Here is my example it does not work I am using FreeBSD 7.1-RELEASE 
>> i386 .
>>
>> =============================
>>
>> ext_if="bge0"
>> int_if="bge1"
>>
>> #My Netgroup lists
>> NETGROUP_SJL  = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26 
>> 10.131.146.132 }"
>> NETGROUP_LON  = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }"
>> NETGROUP_EWR  = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }"
>> NETGROUP_HKG  = "{ 10.168.209.218 10.168.209.40 10.168.208.100 
>> 10.168.209.192/28 }"
>> NETGROUP_BACKUP = "{ 192.168.12.0/26 }"
>> ISILON_SMQ = "{ 192.168.14.0/24 }"
>>
>> table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR 
>> $NETGROUP_HKG $NETGROUP_BACKUP }
>>
>> # Do not filter lo
>> set skip on {lo0}
>>
>> # Normalize
>> scrub in
>>
>> # NAT the internal network to the outside world
>> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>>
>> # Begin Firewall rules
>> block in
>> pass out
>>
>> pass quick on $int_if no state
>> antispoof quick for { lo $int_if }
>>
>> pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to 
>> ($ext_if) port 22
>>
>> ===============================
>>
>>
>> The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I 
>> get the following error
>>
>> /etc/pf.conf:15: syntax error
>> set skip on { lo0 }
>> no IP address found for NETGROUP_ALL
>> /etc/pf.conf:33: could not parse host specification
>> %
>>
>> Any ideas ?
>>
>>   
>


-- 
]Mark Saad[
mark at bad-apples.org

()  ascii ribbon campaign - against html e-mail 
/\  www.asciiribbon.org   - against proprietary attachments

More information about the talk mailing list