[nycbug-talk] PF question: Can I make a const table made up of lists
Jesse Callaway
bonsaime at gmail.com
Wed Mar 4 15:15:45 EST 2009
On Wed, Mar 4, 2009 at 3:01 PM, Mark Saad <nonesuch at bad-apples.org> wrote:
> Max Gribov wrote:
>> Mark Saad wrote:
>>> Hello All
>>> Here is my question; when using PF can I create a const table
>>> made up of predefined lists.
>>>
>>
>> table <somename> persist file "/etc/sometable"
>>
>> sometable file would have one ip per line..
>>
>>
>>
> Could this also be done with a list of lists ?
>
> IE: NETGROUP_ALL = NETGROUP_SJL NETGROUP_LON NETGROUP_EWR NETGROUP_HKG
> NETGROUP_BACKUP
>
>>> Here is my example it does not work I am using FreeBSD 7.1-RELEASE
>>> i386 .
>>>
>>> =============================
>>>
>>> ext_if="bge0"
>>> int_if="bge1"
>>>
>>> #My Netgroup lists
>>> NETGROUP_SJL = "{ 10.70.123.218 10.70.123.112/28 10.70.118.192/26
>>> 10.131.146.132 }"
>>> NETGROUP_LON = "{ 10.72.241.218 10.72.241.192/28 10.72.241.32/27 }"
>>> NETGROUP_EWR = "{ 10.27.64.218 10.106.131.0/24 10.27.64.212/30 }"
>>> NETGROUP_HKG = "{ 10.168.209.218 10.168.209.40 10.168.208.100
>>> 10.168.209.192/28 }"
>>> NETGROUP_BACKUP = "{ 192.168.12.0/26 }"
>>> ISILON_SMQ = "{ 192.168.14.0/24 }"
>>>
>>> table NETGROUP_ALL const { $NETGROUP_SJL $NETGROUP_LON $NETGROUP_EWR
>>> $NETGROUP_HKG $NETGROUP_BACKUP }
>>>
>>> # Do not filter lo
>>> set skip on {lo0}
>>>
>>> # Normalize
>>> scrub in
>>>
>>> # NAT the internal network to the outside world
>>> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>>>
>>> # Begin Firewall rules
>>> block in
>>> pass out
>>>
>>> pass quick on $int_if no state
>>> antispoof quick for { lo $int_if }
>>>
>>> pass in quick on $ext_if inet proto tcp from NETGROUP_ALL to
>>> ($ext_if) port 22
>>>
>>> ===============================
>>>
>>>
>>> The issue is when I test out the rules with pfctl -vnf /etc/pf.conf I
>>> get the following error
>>>
>>> /etc/pf.conf:15: syntax error
>>> set skip on { lo0 }
>>> no IP address found for NETGROUP_ALL
>>> /etc/pf.conf:33: could not parse host specification
>>> %
>>>
>>> Any ideas ?
>>>
>>>
>>
>
>
> --
> ]Mark Saad[
> mark at bad-apples.org
>
> () ascii ribbon campaign - against html e-mail
> /\ www.asciiribbon.org - against proprietary attachments
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
Hi Mark,
Try this guy out.
pfctl -n -f /etc/pf.conf
If it works, then load up the ruleset and then have pfctl dump the
rules onto the screen. If NETGROUP_ALL looks like it should, then
success. If not, then it's back to the drawing board.
More information about the talk
mailing list