Date: Tue, 08 Feb 2005 22:16:09 -0500 From: "solarflux.org/pf" <pf-r@solarflux.org> To: freebsd-pf@freebsd.org Subject: Re: Valid statement in pf.conf? Message-ID: <42098079.90104@solarflux.org> In-Reply-To: <2063a95c0502081634488797f6@mail.gmail.com> References: <2063a95c0502081634488797f6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Doug Van Allen wrote:
> Is this valid:
>
> <b>pass in on $ext_if proto tcp from 151.103.xxx.xxx-151.103.xxx.xxx
> to $ext_if port 22 keep state</b>
>
> I used x's only to hide the other part of the ip address. I need to
> let in a range of ip's like, 192.168.0.1-192.168.32.254.
No. Are you trying to let in an entire subnet or a range of IPs that do
not consist of an entire subnet?
If you want to let an entire subnet in, you can use, for example:
pass in on $ext_if proto tcp from 151.103.50.96/28 to $ext_if port 22 \
keep state
This lets 151.103.50.96 - 151.103.50.111 pass (really .97-.110).
If you want to use a range that is not an entire subnet, you could use a
macro with each IP listed:
$sshallowed = "{ 151.103.50.98, 151.103.50.99, 151.103.50.100 }"
The pass rule would then be:
pass in on $ext_if proto tcp from $sshallowed to $ext_if port 22 \
keep state
An alternative would be to use a table with each IP listed, either
inclusive or in a separate file. Inclusive example:
table <sshallowed> persist { 151.103.50.98, 151.103.50.99, \
151.103.50.100 }
Pass rule:
pass in on $ext_if proto tcp from <sshallowed> to $ext_if port 22 \
keep state
Separate file example:
table <sshallowed> persist file "/etc/pf.sshallowed"
The file /etc/pf.sshallowed would consist of all the IP addresses, but
only one IP address per line:
151.103.50.98
151.103.50.99
151.103.50.100
Same pass rule as the inclusive example.
HTH
-S
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42098079.90104>