[nycbug-talk] PF question: Can I make a const table made up of lists
Mark Saad
nonesuch at bad-apples.org
Wed Mar 4 14:18:43 EST 2009
Hello All
Here is my question; when using PF can I create a const table made
up of predefined lists.
Here is my example it does not work I am using FreeBSD 7.1-RELEASE i386 .
=============================
ext_if="bge0"
int_if="bge1"
#My Netgroup lists
NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26
10.131.146.132 }"
NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }"
NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }"
NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100
10.168.209.192/28 }"
NETGROUP_BACKUP = "{ 192.168.12.0/26 }"
ISILON_SMQ = "{ 192.168.14.0/24 }"
table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR
$NETGROUP_HKG $NETGROUP_BACKUP }
# Do not filter lo
set skip on {lo0}
# Normalize
scrub in
# NAT the internal network to the outside world
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# Begin Firewall rules
block in
pass out
pass quick on $int_if no state
antispoof quick for { lo $int_if }
pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if)
port 22
===============================
The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I
get the following error
/etc/pf.conf:15: syntax error
set skip on { lo0 }
no IP address found for NETGROUP_ALL
/etc/pf.conf:33: could not parse host specification
%
Any ideas ?
--
]Mark Saad[
mark at bad-apples.org
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
More information about the talk
mailing list