[nycbug-talk] PF question: Can I make a const table made up of lists
George Rosamond
george at ceetonetechnology.com
Wed Mar 4 14:45:23 EST 2009
Mark Saad wrote:
> Hello All
> Here is my question; when using PF can I create a const table made
> up of predefined lists.
> Here is my example it does not work I am using FreeBSD 7.1-RELEASE i386 .
>
> =============================
>
> ext_if="bge0"
> int_if="bge1"
>
> #My Netgroup lists
> NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26
> 10.131.146.132 }"
> NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }"
> NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }"
> NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100
> 10.168.209.192/28 }"
> NETGROUP_BACKUP = "{ 192.168.12.0/26 }"
> ISILON_SMQ = "{ 192.168.14.0/24 }"
>
> table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR
> $NETGROUP_HKG $NETGROUP_BACKUP }
>
> # Do not filter lo
> set skip on {lo0}
>
> # Normalize
> scrub in
>
> # NAT the internal network to the outside world
> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>
> # Begin Firewall rules
> block in
> pass out
>
> pass quick on $int_if no state
> antispoof quick for { lo $int_if }
>
> pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to ($ext_if)
> port 22
>
> ===============================
>
>
> The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I
> get the following error
>
> /etc/pf.conf:15: syntax error
> set skip on { lo0 }
> no IP address found for NETGROUP_ALL
> /etc/pf.conf:33: could not parse host specification
> %
>
> Any ideas ?
>
And I guess the question is, does pf support nested groups since
NETGROUP_ALL is a nested group (can't count lines :). .
which i believe it doesn't.
g
More information about the talk
mailing list