From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:45:35 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 40AA616A4CF; Thu, 16 Sep 2004 03:45:35 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 7581 invoked by uid 1005); 16 Aug 2003 02:08:16 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 7578 invoked from network); 16 Aug 2003 02:08:15 -0000 Received: from moutng.kundenserver.de (212.227.126.186) by p50839b54.dip.t-dialin.net with SMTP; 16 Aug 2003 02:08:15 -0000 Received: from [212.227.126.210] (helo=mxng14.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19nrNB-0008Q3-00 for max@vampire.homelinux.org; Sat, 16 Aug 2003 05:04:57 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng14.kundenserver.de with esmtp (Exim 3.35 #1) id 19nrNA-0004IO-00 for max@love2party.net; Sat, 16 Aug 2003 05:04:56 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id B05493909F8 for ; Fri, 15 Aug 2003 22:07:37 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Fri, 15 Aug 2003 22:07:33 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183])ESMTP id 98B0C390B52 for ; Fri, 15 Aug 2003 22:07:32 -0500 (EST) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19nrN4-0006Fk-00 for pf4freebsd@freelists.org; Sat, 16 Aug 2003 05:04:50 +0200 Received: from [80.131.155.84] (helo=max900) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 19nrN3-0003op-00 for pf4freebsd@freelists.org; Sat, 16 Aug 2003 05:04:49 +0200 Message-ID: <002201c363a3$5d01e450$01000001@max900> From: "Max Laier" To: References: <3F3D9534.6080802@qubix.ca> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-archive-position: 91 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: max@love2party.net Precedence: normal X-list: pf4freebsd X-UID: 201 X-Length: 4188 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:52 +0000 Subject: [pf4freebsd] Re: Whitelist IPs via pf 1.61 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:45:35 -0000 X-Original-Date: Sat, 16 Aug 2003 05:06:18 +0200 X-List-Received-Date: Thu, 16 Sep 2004 03:45:35 -0000 This can be done in various ways, the most powerfull and yet easy way is to use a table: >>> pf.conf <<< table persist file "/etc/port80.allow" # block here pass out on $ext_if from to any port 80 >>> pf.conf <<< This will read all the entries in /etc/port80.allow to the table as you load the ruleset. You can add hosts or subnets temporaly by issueing: #pfctl -t surfers -Tadd 65.192.5.1 or #pfctl -t surfers -Tadd 66.192.5.0/24 You can even add negated entries, if you want to allow a whole subnet, but one or two hosts: #pfctl -t surfers -Tadd 65.192.6.0/24 #pfctl -t surfers -Tadd !65.192.6.13 will allow all hosts from 65.192.6.0/24 but disallow 65.192.6.13 The contens of the table can be viewed by: #pfctl -t surfers -Tshow More information at: pfctl(8) http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&manpath=OpenBSD+3.3 pf.conf(5) http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+3.3 And the pf-faq: http://www.openbsd.org/faq/pf/tables.html > Hello. This is my first time posting to this mailing list, but it looks > like I would probably get some good ideas/answers here. Anyway, I have > a specific subnet (65.192.x.x) blocked from accessing port 80, but I > want to "whitelist" (if that is the proper term) and have it be able to > access port 80. So basically, I want the whole subnet blocked still, > except if I can whitelist one IP to allow traffic to/from port 80 from > it. Is this possible? I'm running pf 1.61 and FreeBSD 5.1-CURRENT > (last rebuilt world on Aug. 15, 2003). > > Thanks > > > >