From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 13:20:43 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36DF116A4CE for ; Mon, 11 Apr 2005 13:20:43 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD71B43D4C for ; Mon, 11 Apr 2005 13:20:40 +0000 (GMT) (envelope-from valenok@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1555932wri for ; Mon, 11 Apr 2005 06:20:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=Z90d5y5+BsLflC4CtJbhma4gsWP16LvbKKPqMnHieFMVeXpBNexTlgQVhAm/N40xWybGA5pb5zwX95Yrj6PKoqD8LkP1tIRJN6g6DSiVkprEpEHK677ZgM+WsUu2X19eujv3tYFOK0h1bzdKFgYDLNkqPleLaf1pk8LcU1SpdqE= Received: by 10.54.46.7 with SMTP id t7mr3635421wrt; Mon, 11 Apr 2005 06:20:37 -0700 (PDT) Received: by 10.54.44.57 with HTTP; Mon, 11 Apr 2005 06:20:36 -0700 (PDT) Message-ID: <72c3a957050411062060eea5cc@mail.gmail.com> Date: Mon, 11 Apr 2005 13:20:36 +0000 From: Sergey Lyubka To: freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Sergey Lyubka List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2005 13:20:43 -0000 Hi. I am trying to build a transparent filtering box. Box is running freebsd 5.4, pf and bridge, this is the setup: in | | em0, 0.0.0.0 ----- | | | | | | ----- | | em1, 10.0.0.1 Bridge config: sysctl net.link.ether.bridge.enable=1 sysctl net.link.ether.bridge_ipf=1 sysctl net.link.ether.bridge.config=em0,em1 PF config: int="em0" ext="em1" rdr on $int inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080 So, pf redirects http traffic to a web proxy. The IP address on em1 is needed so the proxy can do web requests by itself. The problem with that setup is that I can see no packets redirected. Any points? Thanks, Sergey From owner-freebsd-pf@FreeBSD.ORG Tue Apr 12 07:51:58 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E38616A4CE for ; Tue, 12 Apr 2005 07:51:58 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19DA243D31 for ; Tue, 12 Apr 2005 07:51:57 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so1332522rnf for ; Tue, 12 Apr 2005 00:51:56 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=hUs34SgRYAspVVS+1gLc7bSklDyXfpntUYUB90ST7ugPwFD73AzK3ovjM+PGffewC42c/o6KtSTCD7FnRsUFEQI1JhmhbHXAuASanS6LcseIO3LKw3miu2hDQ8Q/mkuqa0/MMOW5UTf2NvGabKsRqu9CRUKSKZct0Yo4sTfTP/o= Received: by 10.38.65.1 with SMTP id n1mr5103158rna; Tue, 12 Apr 2005 00:51:56 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Tue, 12 Apr 2005 00:51:56 -0700 (PDT) Message-ID: Date: Tue, 12 Apr 2005 09:51:56 +0200 From: stephen To: pf@benzedrine.cx, freebsd-pf@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2005 07:51:58 -0000 Hi, I'm not sure what I'm not doing wrong, but I can't seem to send any traffi= c=20 via gif3 ($gif_if).. The rule I had have in place is a working rule from=20 previous conf, but in my wisdom in rewriting conf from scratch yesterday I= =20 managed to overwrite the previous conf. The only different thing I had whic= h=20 may have come into play was a pass out all on ext_if rule which I no longer= =20 want.=20 I tried having a look at pflog0 with tcpdump, but it doesnt seem to show= =20 any traffic at all nevermind just the blocked traffic (I would like to know= =20 if there is a way to log all? all examples I've seen online say 'block log= =20 all'). I made sure I did 'ifconfig pflog0 up' before attempting to run=20 tcpdump on it. /etc/pf.conf: ##### macros int_if =3D "rl0" ext_if =3D "tun0" gif_if =3D "gif3" icmp_types =3D "echoreq" -list of ports/hosts here- ##### aliases bi =3D "block in" bo =3D "block out" bq =3D "block quick" biq =3D "block in quick" boq =3D "block out quick" bd =3D "block drop" pi =3D "pass in" po =3D "pass out" pq =3D "pass quick" piq =3D "pass in quick" poq =3D "pass out quick" ks =3D "keep state" ms =3D "modulate state" ss =3D "synproxy state" l =3D "label" int_net =3D "{" $int_if:network "}" ##### behavior options set block-policy return set loginterface $ext_if ##### scrub scrub in all ##### nat/rdr nat on $ext_if from $int_net to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1port 3128 ##### anti spoofing protection #antispoof quick for $int_if inet #antispoof quick for $ext_if inet #antispoof quick for lo0 #$bd in on $ext_if from $priv_nets to any #$bd out on $ext_if from any to $priv_nets #####filter rules ###default block and log all block log all #$pi inet proto icmp all icmp-type $icmp_types $ks #$po inet proto icmp all icmp-type $icmp_types $ks $pq on lo0 all ###filter rules for $int_if inbound $bi on $int_if all $pi on $int_if inet proto tcp from any to $int_if port 2222 $ks $pi on $int_if proto { udp,tcp } from $int_net to any port 53 $ks $pi on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks $l "http= =20 : $srcaddr " $pi on $int_if proto tcp from $soh to any port 443 flags S/SA $ks $l "ssl := =20 $srcaddr " $pi on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks $pi on $int_if proto tcp from $soh to $int_if port 25 $ks $l "smtp :=20 $srcaddr " $pi on $int_if proto tcp from $soh to $int_if port 110 $ks $l "pop3 :=20 $srcaddr " $pi on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $ks=20 $pi on $int_if proto tcp from $sh to any port { 6667,6668,7000 } $ks=20 ###filter rules for $int_if outbound $bo on $int_if all $po on $int_if inet proto tcp from $int_if to $int_net port 20 $ks ###filter rules for $ext_if inbound $bi on $ext_if all $pi on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks $pi on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks $pi on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks $pi on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks ###filter rules for $ext_if outbound $bo on $ext_if all $po on $ext_if from any to $dns $ks $po on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA $ks $po on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks $po on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks $po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks $l "tota= l=20 smtp (storm) : " $po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks $l=20 "total pop3 (storm) : " $po on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks $l "tota= l=20 smtp (saix) : " $po on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks $l "total= =20 http : "=20 $po on $ext_if inet proto tcp from ($ext_if) to any port { 6667,6668,7000 }= =20 $ks $pi inet proto icmp all icmp-type $icmp_types $ks $po inet proto icmp all icmp-type $icmp_types $ks ###filter to pass all tunnel traffic $pi on $gif_if all=20 $po on $gif_if all -eof- I also added a rule: $po on $ext_if from ($ext_if) to $gif_if $ks as well as $po on $ext_if from ($ext_if) to 10.0.89.0/24 $ks but neither seem to help much... (they shouldn't be necessary because I said pass in/out all on $gif?? It would be a lot easier if I could decipher what is going on via=20 pflog0, but when i do: tcpdump -n -e -ttt -vv -i pflog0 all I get is: tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture= =20 size 96 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel What confuses me is that even though I have a specific pass in/out rule= =20 for icmp, a pass out rule after that for $gif_if, and no rules after that= =20 (so there are no more block matches)... I still can't ping or send/recv=20 traffic via $gif_if to 10.0.89.0 but can ping other=20 hosts: Tue Apr 12 09:31:45 root@bollox:~# ping -c 3 www.iol.co.za PING www.iol.co.za (196.30.168.79): 56 data bytes 64 bytes from 196.30.168.79 : icmp_seq=3D0 ttl=3D58 t= ime=3D 45.315 ms 64 bytes from 196.30.168.79 : icmp_seq=3D1 ttl=3D58 t= ime=3D 47.876 ms 64 bytes from 196.30.168.79 : icmp_seq=3D2 ttl=3D58 t= ime=3D 54.126 ms =20 --- www.iol.co.za ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev =3D 45.315/49.106/54.126/3.701 ms Tue Apr 12 09:31:59 root@bollox:~# ifconfig gif3 gif3: flags=3D8051 mtu 1280 tunnel inet x.x.y.123 --> x.x.z.96 inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00 inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7 Tue Apr 12 09:32:08 root@bollox:~# ping -c 3 10.0.89.254 PING 10.0.89.254 (10.0.89.254 ): 5= 6=20 data bytes ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted --- 10.0.89.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss I may be doing something stupid in either of the two problems, but perhaps= =20 a look from someone else will spot something I have not noticed.. Thanks in advance, Stephen. From owner-freebsd-pf@FreeBSD.ORG Wed Apr 13 16:06:22 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5DCA16A4CE for ; Wed, 13 Apr 2005 16:06:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2FC943D66 for ; Wed, 13 Apr 2005 16:06:21 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so177623rnf for ; Wed, 13 Apr 2005 09:06:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mEw+zNusEe8r8bllsv4fNkG/WPKeS1ZtB27tpY/GM+DyoOHgzAYdNFVC2w2/JrGWnMNMTKUrcS8FX1PnXphGjI0qW1bkzOJ5RrMl0xUkt3rvkfoFfZVxQFX4LeVmRwVO3oZtFOJw3Xe3wYEIZ6MpgPI/hrBBJ7+g69Pd/7+kK4Y= Received: by 10.38.75.21 with SMTP id x21mr724295rna; Wed, 13 Apr 2005 09:06:11 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Wed, 13 Apr 2005 09:06:10 -0700 (PDT) Message-ID: Date: Wed, 13 Apr 2005 18:06:10 +0200 From: stephen To: pf@benzedrine.cx, freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 16:06:22 -0000 Hi again, After some pondering over my problem re: gif traffic not being able to be sent/received, I've concluded that because gif is tunneled via tun0 (my $ext_if), I need to somehow permit gif traffic via $ext_if. I've tried a couple of things but neither seem to help. The local network address is 10.0.88.0 and the other end of tunnel is 10.0.= 89.0 Local side of tunnel is 10.0.88.254 and remote end is 10.0.89.254 as shown below: Wed Apr 13 16:53:19 root@bollox:~# ifconfig gif3 gif3: flags=3D8051 mtu 1280 tunnel inet x.x.y.199 --> x.x.z.214 inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00 inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7 I've pasted my pf.conf again, and cleaned it up a bit by replacing all the variables I made with what they stand for (ie: '$po' become 'pass out') /etc/pf.conf: ##### macros int_if =3D "rl0" ext_if =3D "tun0" gif_if =3D "gif3" icmp_types =3D "echoreq" -hosts here- ##### aliases ks =3D "keep state" ms =3D "modulate state" ss =3D "synproxy state" int_net =3D "{" $int_if:network "}" ##### behavior options set block-policy return set loginterface $ext_if ##### scrub scrub in all ##### nat/rdr nat on $ext_if from $int_net to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 ##### anti spoofing protection #antispoof quick for $int_if inet #antispoof quick for $ext_if inet #antispoof quick for lo0 block drop in on $ext_if from $priv_nets to any block drop out on $ext_if from any to $priv_nets #####filter rules ###default block and log all block log all #pass in inet proto icmp all icmp-type $icmp_types $ks #pass out inet proto icmp all icmp-type $icmp_types $ks pass quick on lo0 all ###filter rules for $int_if inbound $bi on $int_if all pass in on $int_if inet proto tcp from any to $int_if port 2222 $ks pass in on $int_if proto { udp,tcp } from $int_net to any port 53 $ks pass in on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks=20 pass in on $int_if proto tcp from $soh to any port 443 flags S/SA $ks=20 pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks pass in on $int_if proto tcp from $soh to $int_if port 25 $ks=20 pass in on $int_if proto tcp from $soh to $int_if port 110 $ks=20 pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $k= s =20 ###filter rules for $int_if outbound block out on $int_if all pass out on $int_if inet proto tcp from $int_if to $int_net port 20 $ks ###filter rules for $ext_if inbound block in on $ext_if all pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks ###filter rules for $ext_if outbound block in on $ext_if all pass out on $ext_if from any to $dns $ks pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA = $ks pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks=20 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks= =20 pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks=20 pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks=20 pass in inet proto icmp all icmp-type $icmp_types $ks pass out inet proto icmp all icmp-type $icmp_types $ks ###filter to pass all tunnel traffic pass in on $gif_if all=20 pass out on $gif_if all =20 I've had to specify the ports/ hosts seperately for labelling purposes incase anyone wonders why I written it how I have. I'm also struggling to get pflog to show anything (I want it to show everything, not just the blocked traffic, would this implying having 'log' in every rule I have?)... left it running for a while and it showed nothing, even with myself purposely trying to connect to blocked ports (and ofcourse trying to ping via my gif iface) Thanks in advance, Stephen From owner-freebsd-pf@FreeBSD.ORG Wed Apr 13 19:47:54 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B27916A4CE for ; Wed, 13 Apr 2005 19:47:54 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3067C43D48 for ; Wed, 13 Apr 2005 19:47:53 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by rproxy.gmail.com with SMTP id a41so237057rng for ; Wed, 13 Apr 2005 12:47:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=t2/z/hAgVzEc3Rkjd4zfkp9PV4joyOn/Sl85ATblTsV/6nO0VT9om5U7Ks7hnywM8Fig5MvXMniVaDZ+mbcnzqxybU8GjsPPpDObpwOQYZYvZlrI5z+Wfx346KveHEG1Y0MK7ASYkHxJ1Y/4qFyu8YxC9SklL1n4krfgVHuYfJE= Received: by 10.38.74.31 with SMTP id w31mr939417rna; Wed, 13 Apr 2005 12:47:49 -0700 (PDT) Received: by 10.38.149.56 with HTTP; Wed, 13 Apr 2005 12:47:48 -0700 (PDT) Message-ID: <79722fad05041312472ac3a460@mail.gmail.com> Date: Wed, 13 Apr 2005 22:47:48 +0300 From: Vlad GALU To: freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Vlad GALU List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 19:47:54 -0000 On 4/13/05, stephen wrote: > Hi again, >=20 > After some pondering over my problem re: gif traffic not being able to > be sent/received, I've concluded that because gif is tunneled via tun0 > (my $ext_if), I need to somehow permit gif traffic via $ext_if. I've > tried a couple of things but neither seem to help. >=20 > The local network address is 10.0.88.0 and the other end of tunnel is 10.= 0.89.0 > Local side of tunnel is 10.0.88.254 and remote end is 10.0.89.254 as > shown below: >=20 > Wed Apr 13 16:53:19 root@bollox:~# ifconfig gif3 > gif3: flags=3D8051 mtu 1280 > tunnel inet x.x.y.199 --> x.x.z.214 > inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00 > inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7 >=20 > I've pasted my pf.conf again, and cleaned it up a bit by replacing all > the variables I made with what they stand for (ie: '$po' become 'pass > out') >=20 > /etc/pf.conf: >=20 > ##### macros > int_if =3D "rl0" > ext_if =3D "tun0" > gif_if =3D "gif3" > icmp_types =3D "echoreq" >=20 > -hosts here- >=20 > ##### aliases > ks =3D "keep state" > ms =3D "modulate state" > ss =3D "synproxy state" > int_net =3D "{" $int_if:network "}" >=20 > ##### behavior options > set block-policy return > set loginterface $ext_if >=20 > ##### scrub > scrub in all >=20 > ##### nat/rdr > nat on $ext_if from $int_net to any -> ($ext_if) > rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 >=20 > ##### anti spoofing protection > #antispoof quick for $int_if inet > #antispoof quick for $ext_if inet > #antispoof quick for lo0 >=20 > block drop in on $ext_if from $priv_nets to any > block drop out on $ext_if from any to $priv_nets >=20 > #####filter rules > ###default block and log all > block log all > #pass in inet proto icmp all icmp-type $icmp_types $ks > #pass out inet proto icmp all icmp-type $icmp_types $ks > pass quick on lo0 all >=20 > ###filter rules for $int_if inbound > $bi on $int_if all > pass in on $int_if inet proto tcp from any to $int_if port 2222 $ks > pass in on $int_if proto { udp,tcp } from $int_net to any port 53 $ks > pass in on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks > pass in on $int_if proto tcp from $soh to any port 443 flags S/SA $ks > pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks > pass in on $int_if proto tcp from $soh to $int_if port 25 $ks > pass in on $int_if proto tcp from $soh to $int_if port 110 $ks >=20 > pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } = $ks >=20 > ###filter rules for $int_if outbound > block out on $int_if all > pass out on $int_if inet proto tcp from $int_if to $int_net port 20 $ks >=20 > ###filter rules for $ext_if inbound > block in on $ext_if all > pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks > pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks > pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks > pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks >=20 > ###filter rules for $ext_if outbound > block in on $ext_if all > pass out on $ext_if from any to $dns $ks > pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/S= A $ks > pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks > pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks > pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks > pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks > pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks > pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks >=20 > pass in inet proto icmp all icmp-type $icmp_types $ks > pass out inet proto icmp all icmp-type $icmp_types $ks >=20 > ###filter to pass all tunnel traffic > pass in on $gif_if all > pass out on $gif_if all >=20 > I've had to specify the ports/ hosts seperately for labelling purposes > incase anyone wonders why I written it how I have. >=20 > I'm also struggling to get pflog to show anything (I want it to show > everything, not just the blocked traffic, would this implying having > 'log' in every rule I have?)... left it running for a while and it > showed nothing, even with myself purposely trying to connect to > blocked ports (and ofcourse trying to ping via my gif iface) >=20 You're not allowing any ipencap traffic on your tun interface. One more thing: you have "block in on $ext_if all" twice. > Thanks in advance, >=20 >=20 > Stephen > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 --=20 If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-freebsd-pf@FreeBSD.ORG Wed Apr 13 20:30:19 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4B9316A4CE for ; Wed, 13 Apr 2005 20:30:19 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FDDC43D3F for ; Wed, 13 Apr 2005 20:30:19 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so234954rnf for ; Wed, 13 Apr 2005 13:30:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M+t+2DD7HGAA1Ev0k2RfI2iqfeaOjZx+NRldh0a3TsHhEwdWcEVE0dDKiyP6Gm4shZuZ3Ub7+xJxHt/iYKVzTqB8WPs2+iFoDu/pWtAbRCMXmw+upiCT/aWh/uOJiE0mXzbTCnKAvQ00TMhkJJI8vTf02T0BNsFJNKxaHtXZ7Ys= Received: by 10.38.65.1 with SMTP id n1mr1013894rna; Wed, 13 Apr 2005 13:30:16 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Wed, 13 Apr 2005 13:30:16 -0700 (PDT) Message-ID: Date: Wed, 13 Apr 2005 22:30:16 +0200 From: stephen To: Vlad GALU In-Reply-To: <79722fad05041312472ac3a460@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <79722fad05041312472ac3a460@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 20:30:19 -0000 On 4/13/05, Vlad GALU wrote: > On 4/13/05, stephen wrote: > You're not allowing any ipencap traffic on your tun interface. One > more thing: you have "block in on $ext_if all" twice. > Ah yeah... I do have it correct in my pf.conf, it was because i was replacing all the variables back to what they should be.. must've lost concentration as I was sending this mail just as my ride home arrived. Can you tell me more about allowing ipencap please? From owner-freebsd-pf@FreeBSD.ORG Thu Apr 14 00:02:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2040D16A4CE for ; Thu, 14 Apr 2005 00:02:25 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72A6A43D7D for ; Thu, 14 Apr 2005 00:02:24 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 3B36C3600C1 for ; Wed, 13 Apr 2005 19:01:59 -0500 (CDT) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 07A81330059 for ; Wed, 13 Apr 2005 19:01:59 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id ECECB8014E24 for ; Wed, 13 Apr 2005 19:01:58 -0500 (CDT) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 23777-41 for ; Wed, 13 Apr 2005 19:01:58 -0500 (CDT) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id DB0A48014E23 for ; Wed, 13 Apr 2005 19:01:58 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 13 Apr 2005 19:02:04 -0500 Message-ID: <425DB3F8.1070101@seton.org> Date: Wed, 13 Apr 2005 19:06:16 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 14 Apr 2005 00:02:04.0046 (UTC) FILETIME=[309EAAE0:01C54085] X-Virus-Scanned: by amavisd-new at seton.org Subject: pf rule macro help ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2005 00:02:25 -0000 Hello all, I am migrating a largish ruleset from checkpoint to freebsd/pf and am having a problem trying to write some nested macros. The example from the pf website that nests macros seems to work fine ... host1 = "192.168.1.1" host2 = "192.168.1.2" all_hosts = "{" $host1 $host2 "}" ... but if I try to nest two macros that define networks ... net1 = "192.168.1.0/24" net2 = "192.168.2.0/24" all_nets = "{" $net1 "," $net2 "}" ... I always get a syntax error on the "all_nets =" line. What am I doing wrong here? ----- warning, wishful thinking below ----- Also, are there any plans to support nested tables or is there some technical argument against it. Life would be so much easier when trying to organize large groups of networks and hosts. ie ... # Office one networks table { 10.1.1.0/24, 10.2.1.0/24, etc ... } # Office two networks table { 10.3.1.0/24, 10.4.1.0/24, etc ... } # all internal networks table { , } # anti spoof block drop in log quick on $ext_if from to any Writing a small rule set is simple in pf.conf but trying to write a larger script that is easy to read and self documented is kind of difficult. You have to write all comments before or after a multi-line table or macro because of the esc char. ie ... # mail servers 1 - 2 # web servers 1 - 4 # ftp servers 1 - 4 etc ... table { \ 10.1.1.1, 10.1.1.2, \ 10.1.1.3, 10.1.1.4, 10.1.1.5, 10.1.1.6, \ 10.1.1.7, 10.1.1.8, 10.1.1.9, 10.1.1.10, \ etc ... } I know you can use dns names and have pf resolve them at load time which does make things a bit easier to read. But then you have to worry about loosing connectivity with your dns server when you need to reload rules. IMHO, it would have been better if pfctl acted more like a c parser where you have a terminating char so that inline comments could be used and escapes would be unnecessary. ie ... table { 10.1.1.1, # mail1.blah.org 10.1.1.2, # mail2.blah.org 10.1.1.3, # web1.blah.org 10.1.1.4, # web2.blah.org 10.1.1.5, # web3.blah.org 10.1.1.6, # web4.blah.org 10.1.1.7, # ftp1.blah.org 10.1.1.8, # ftp2.blah.org 10.1.1.9, # ftp3.blah.org 10.1.1.10, # ftp4.blah.org etc ... }; # make sure I can manage my dmz hosts pass quick proto tcp from $admin to port ssh; -Matthew From owner-freebsd-pf@FreeBSD.ORG Thu Apr 14 07:47:08 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A163D16A4CE for ; Thu, 14 Apr 2005 07:47:08 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D92C43D66 for ; Thu, 14 Apr 2005 07:47:08 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so316564rnf for ; Thu, 14 Apr 2005 00:47:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qFiUuTRyGsZMHPEoPvP2MFSG4TT8HVEzgYYif+U9BX0BKd07SVG6WJoaXWdeyrrwaWyuh/XxUs0D029PbKArfdptUVpNQVeKzIE/MYllJNxL2VzHxdJcnggYKfOZvriFJkKaKADMnpKk/+w2612NApvV+ATFburya0mb83ZLOLw= Received: by 10.38.66.62 with SMTP id o62mr1594100rna; Thu, 14 Apr 2005 00:47:07 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Thu, 14 Apr 2005 00:47:07 -0700 (PDT) Message-ID: Date: Thu, 14 Apr 2005 09:47:07 +0200 From: stephen To: Vlad GALU In-Reply-To: <79722fad0504131316236b50f5@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <79722fad05041312472ac3a460@mail.gmail.com> <79722fad0504131316236b50f5@mail.gmail.com> cc: freebsd-pf@freebsd.org Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2005 07:47:08 -0000 On 4/13/05, Vlad GALU wrote: > On 4/13/05, stephen wrote: > > On 4/13/05, Vlad GALU wrote: > > > On 4/13/05, stephen wrote: > > > You're not allowing any ipencap traffic on your tun interface. One > > > more thing: you have "block in on $ext_if all" twice. > > > > > > > Ah yeah... I do have it correct in my pf.conf, it was because i was > > replacing all the variables back to what they should be.. must've lost > > concentration as I was sending this mail just as my ride home arrived. > > > > Can you tell me more about allowing ipencap please? > > > gif interfaces use an encapsulation named "ipencap" (grep ipencap > /etc/protocols, you'll see it mentioned there). All you have to do is > to permit that type of protocol to flow in and out your tun interface. > this should do it. ok, we're making progress! I added the rules: pass in on $ext_if inet proto ipencap from any to any keep state pass out on $ext_if inet proto ipencap from any to any keep state I dont think I'd need the keep state as I'm passing all in and out, but through it in there anyway.. Thu Apr 14 09:37:23 root@bollox:/home/stephen# ping -c 3 10.0.89.254 PING 10.0.89.254 (10.0.89.254): 56 data bytes --- 10.0.89.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss Thu Apr 14 09:37:47 root@bollox:/home/stephen# ping -c 3 www.iol.co.za PING www.iol.co.za (196.30.168.79): 56 data bytes 64 bytes from 196.30.168.79: icmp_seq=3D0 ttl=3D58 time=3D48.192 ms 64 bytes from 196.30.168.79: icmp_seq=3D1 ttl=3D58 time=3D46.719 ms 64 bytes from 196.30.168.79: icmp_seq=3D2 ttl=3D58 time=3D49.637 ms --- www.iol.co.za ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev =3D 46.719/48.183/49.637/1.191 ms I've now gone from 'operation not permitted' to no ping response when pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp issue as I can ping www.iol.co.za via tun0 w/o a problem. perhaps I should stop looking at this problem and try rectify my pflog problem as I'm sure it'll help tell me what to look at rather than posting step by step =3D] (although I'm helping one day this'll help someone else cause had me baffled for a while and couldnt find anything on the web) Thanks for help thus far =3D] Stephen From owner-freebsd-pf@FreeBSD.ORG Thu Apr 14 10:17:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E290A16A4CE for ; Thu, 14 Apr 2005 10:17:14 +0000 (GMT) Received: from mail.bosquedeniebla.com (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 596B143D6A for ; Thu, 14 Apr 2005 10:17:14 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from dsl-201-144-86-223.prod-infinitum.com.mx ([201.144.86.223]) by mail.bosquedeniebla.com with esmtp; Thu, 14 Apr 2005 05:17:12 -0500 id 00095C97.425E4329.0000FA19 Received: from localhost (localhost [127.0.0.1]) (uid 80) by dsl-201-144-86-223.prod-infinitum.com.mx with local; Thu, 14 Apr 2005 05:17:10 -0500 Received: from localhost.encontacto.net (localhost.encontacto.net [127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for ; Thu, 14 Apr 2005 05:17:10 -0500 Message-ID: <20050414051710.c0rda3krnokscwk4@mail.encontacto.net> Date: Thu, 14 Apr 2005 05:17:10 -0500 From: "Edwin L. Culp" To: freebsd-pf@freebsd.org References: <79722fad05041312472ac3a460@mail.gmail.com> <79722fad0504131316236b50f5@mail.gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2005 10:17:15 -0000 Quoting stephen : > On 4/13/05, Vlad GALU wrote: >> On 4/13/05, stephen wrote: >> > On 4/13/05, Vlad GALU wrote: >> > > On 4/13/05, stephen wrote: >> > > You're not allowing any ipencap traffic on your tun interface. One >> > > more thing: you have "block in on $ext_if all" twice. >> > > >> > >> > Ah yeah... I do have it correct in my pf.conf, it was because i was >> > replacing all the variables back to what they should be.. must've lost >> > concentration as I was sending this mail just as my ride home arrived. >> > >> > Can you tell me more about allowing ipencap please? >> > >> gif interfaces use an encapsulation named "ipencap" (grep ipencap >> /etc/protocols, you'll see it mentioned there). All you have to do is >> to permit that type of protocol to flow in and out your tun interface. >> this should do it. > > ok, we're making progress! > I added the rules: > > pass in on $ext_if inet proto ipencap from any to any keep state > pass out on $ext_if inet proto ipencap from any to any keep state > > I dont think I'd need the keep state as I'm passing all in and out, > but through it in there anyway.. > > Thu Apr 14 09:37:23 root@bollox:/home/stephen# ping -c 3 10.0.89.254 > PING 10.0.89.254 (10.0.89.254): 56 data bytes > > --- 10.0.89.254 ping statistics --- > 3 packets transmitted, 0 packets received, 100% packet loss > > Thu Apr 14 09:37:47 root@bollox:/home/stephen# ping -c 3 www.iol.co.za > PING www.iol.co.za (196.30.168.79): 56 data bytes > 64 bytes from 196.30.168.79: icmp_seq=0 ttl=58 time=48.192 ms > 64 bytes from 196.30.168.79: icmp_seq=1 ttl=58 time=46.719 ms > 64 bytes from 196.30.168.79: icmp_seq=2 ttl=58 time=49.637 ms > > --- www.iol.co.za ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 46.719/48.183/49.637/1.191 ms > > > I've now gone from 'operation not permitted' to no ping response when > pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp > issue as I can ping www.iol.co.za via tun0 w/o a problem. Just wondering if this could have something to do with what you are seeing The gif device does not translate ICMP messages for the outer header into the inner header. From the gif man page. I've never used gif so this is a learning opportunity ;) Good luck, ed From owner-freebsd-pf@FreeBSD.ORG Fri Apr 15 15:08:05 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C073416A4CE for ; Fri, 15 Apr 2005 15:08:05 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43CE743D45 for ; Fri, 15 Apr 2005 15:08:05 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 878143600E1 for ; Fri, 15 Apr 2005 10:08:04 -0500 (CDT) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 384C9330060; Fri, 15 Apr 2005 10:08:04 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id 2A0D18014E25; Fri, 15 Apr 2005 10:08:04 -0500 (CDT) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 09863-46; Fri, 15 Apr 2005 10:08:04 -0500 (CDT) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id 1AF848014E23; Fri, 15 Apr 2005 10:08:04 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Fri, 15 Apr 2005 10:08:03 -0500 Message-ID: <425FD9D5.90904@seton.org> Date: Fri, 15 Apr 2005 10:12:21 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: McLone References: <425DB3F8.1070101@seton.org> <451cb30105041416324ada3f27@mail.gmail.com> In-Reply-To: <451cb30105041416324ada3f27@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 15 Apr 2005 15:08:03.0987 (UTC) FILETIME=[EC152630:01C541CC] X-Virus-Scanned: by amavisd-new at seton.org cc: freebsd-pf@freebsd.org Subject: Re: pf rule macro help ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2005 15:08:05 -0000 Thanks for the response. I can use the macros that contain host addresses or host names. The problem occurs when I use a '/' in a macro and then nest it inside another macro like so ... net1 = "192.168.1.0/24" net2 = "192.168.2.0/24" all_nets = "{" $net1 $net2 "}" pass from $all_nets to any It always causes a syntax error. The pf web page says you can nest macros so I don't know why it errors out. If you remove the "/24" portion of the net1 & net2 macros it works fine. I thought it may have had something to do with the fact that I am running an AMD64 SMP kernel. So I built an i386 UP box and tested the same four lines above ( with and without the net mask ) and got the same result. I know this is a volunteer effort ( and greatly appreciated at that ) but would it be possible for someone to independently confirm what I am seeing and for someone to tell me if this is the intended behavior. Thanks in advance, -Matthew McLone wrote: > On 4/14/05, Matthew Grooms wrote: > >>host1 = "192.168.1.1" >>host2 = "192.168.1.2" >>all_hosts = "{" $host1 $host2 "}" >>... I always get a syntax error on the "all_nets =" line. > > Bugs me too. AFAIK there's no way to nest macroses. > BTW "," isn't needed. BTW Thanks for the tip. From owner-freebsd-pf@FreeBSD.ORG Fri Apr 15 15:44:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF14816A4CE for ; Fri, 15 Apr 2005 15:44:12 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82EF743D5D for ; Fri, 15 Apr 2005 15:44:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E7B8.dip.t-dialin.net[84.163.231.184] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwtQ-1DMSzC1iTn-0008EB; Fri, 15 Apr 2005 17:44:02 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Fri, 15 Apr 2005 17:43:49 +0200 User-Agent: KMail/1.8 References: <425DB3F8.1070101@seton.org> <451cb30105041416324ada3f27@mail.gmail.com> <425FD9D5.90904@seton.org> In-Reply-To: <425FD9D5.90904@seton.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1344932.VfnDuB8lPK"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504151743.59628.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 cc: Matthew Grooms Subject: Re: pf rule macro help ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2005 15:44:12 -0000 --nextPart1344932.VfnDuB8lPK Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 15 April 2005 17:12, Matthew Grooms wrote: > Thanks for the response. I can use the macros that contain host > addresses or host names. The problem occurs when I use a '/' in a macro > and then nest it inside another macro like so ... > > net1 =3D "192.168.1.0/24" > net2 =3D "192.168.2.0/24" > all_nets =3D "{" $net1 $net2 "}" > pass from $all_nets to any Make this: net1 =3D "'192.168.1.0/24'" net2 =3D "'192.168.2.0/24'" all_nets =3D "{" $net1 $net2 "}" pass from $all_nets to any Yes, it's a bit cryptic, but it's nearly impossible to fix the parser witho= ut=20 a major undertaking. This should probably go to the FAQ or the manpage eve= n,=20 I posted a suggestion to OpenBSD's pf ML a while ago:=20 http://marc.theaimsgroup.com/?l=3Dopenbsd-pf&m=3D109725883904534&w=3D2 If OpenBSD doesn't take it, I'll put it into ours after 3.7 is imported. > It always causes a syntax error. The pf web page says you can nest > macros so I don't know why it errors out. If you remove the "/24" > portion of the net1 & net2 macros it works fine. > > I thought it may have had something to do with the fact that I am > running an AMD64 SMP kernel. So I built an i386 UP box and tested the > same four lines above ( with and without the net mask ) and got the same > result. > > I know this is a volunteer effort ( and greatly appreciated at that ) > but would it be possible for someone to independently confirm what I am > seeing and for someone to tell me if this is the intended behavior. > > Thanks in advance, > > -Matthew > > McLone wrote: > > On 4/14/05, Matthew Grooms wrote: > >>host1 =3D "192.168.1.1" > >>host2 =3D "192.168.1.2" > >>all_hosts =3D "{" $host1 $host2 "}" > >>... I always get a syntax error on the "all_nets =3D" line. > > > > Bugs me too. AFAIK there's no way to nest macroses. > > BTW "," isn't needed. > > BTW Thanks for the tip. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1344932.VfnDuB8lPK Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCX+E/XyyEoT62BG0RAqo4AJ0cVmmPn4NZZjHkhmXbllTiTQvv3wCdFVgE qyYtzS5LFjVnWEkfw0t9yqQ= =wxms -----END PGP SIGNATURE----- --nextPart1344932.VfnDuB8lPK--