From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 03:16:19 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FADB16A4CE for ; Wed, 9 Feb 2005 03:16:19 +0000 (GMT) Received: from mail.fluidhosting.com (mail1.fluidhosting.com [66.150.201.101]) by mx1.FreeBSD.org (Postfix) with SMTP id E897643D45 for ; Wed, 9 Feb 2005 03:16:18 +0000 (GMT) (envelope-from pf-r@solarflux.org) Received: (qmail 98221 invoked by uid 399); 9 Feb 2005 03:16:10 -0000 Received: from unknown (HELO ?192.168.0.74?) (127.0.0.1) by localhost with SMTP; 9 Feb 2005 03:16:10 -0000 Message-ID: <42098079.90104@solarflux.org> Date: Tue, 08 Feb 2005 22:16:09 -0500 From: "solarflux.org/pf" Organization: pf-r User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <2063a95c0502081634488797f6@mail.gmail.com> In-Reply-To: <2063a95c0502081634488797f6@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Valid statement in pf.conf? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 03:16:19 -0000 Doug Van Allen wrote: > Is this valid: > > pass in on $ext_if proto tcp from 151.103.xxx.xxx-151.103.xxx.xxx > to $ext_if port 22 keep state > > I used x's only to hide the other part of the ip address. I need to > let in a range of ip's like, 192.168.0.1-192.168.32.254. No. Are you trying to let in an entire subnet or a range of IPs that do not consist of an entire subnet? If you want to let an entire subnet in, you can use, for example: pass in on $ext_if proto tcp from 151.103.50.96/28 to $ext_if port 22 \ keep state This lets 151.103.50.96 - 151.103.50.111 pass (really .97-.110). If you want to use a range that is not an entire subnet, you could use a macro with each IP listed: $sshallowed = "{ 151.103.50.98, 151.103.50.99, 151.103.50.100 }" The pass rule would then be: pass in on $ext_if proto tcp from $sshallowed to $ext_if port 22 \ keep state An alternative would be to use a table with each IP listed, either inclusive or in a separate file. Inclusive example: table persist { 151.103.50.98, 151.103.50.99, \ 151.103.50.100 } Pass rule: pass in on $ext_if proto tcp from to $ext_if port 22 \ keep state Separate file example: table persist file "/etc/pf.sshallowed" The file /etc/pf.sshallowed would consist of all the IP addresses, but only one IP address per line: 151.103.50.98 151.103.50.99 151.103.50.100 Same pass rule as the inclusive example. HTH -S