On 2016-03-29, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> wrote: > On 29/03/16 20:24, Adam Smith wrote: >> Thanks, Taru, your solution works. >> >> Adam >> >> --- letcher.r...@gmail.com wrote: >> >> From: Letcher Ross <letcher.r...@gmail.com> >> To: ken...@dcemail.com >> Cc: OpenBSD Misc <misc@openbsd.org> >> Subject: Re: Syntax error in pf rules >> Date: Tue, 29 Mar 2016 08:55:32 -0700 >> >> Per http://www.openbsd.org/faq/pf/macros.html >> >> It looks like your list should look like: >> >> vpnip = "{ 77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78, >> 66.85.14.205, 54.201.110.154 }" >> >> Taru >> >> On Tue, Mar 29, 2016 at 8:45 AM, Adam Smith <ken...@dcemail.com> wrote: > > You should better use a table and one rule than a list which will be > expanded to 6 rules. > > table <vpnip> { 77.90.247.88, 112.119.192.26, 85.95.253.145, > 31.210.111.78, 66.85.14.205, 54.201.110.154 } > pass out quick on $wan proto tcp from any to <vpnip> port 443 keep state
With 6 addresses it will actually work due to the ruleset optimizer collapsing them to a table, but you'll get very confused if you remove one of the addresses as 5 *will* get expanded to multiple rules. Compare: echo 'pass from { 77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78, 66.85.14.205, 54.201.110.154 }' | pfctl -nvf - echo 'pass from { 77.90.247.88, 112.119.192.26, 85.95.253.145, 31.210.111.78, 66.85.14.205 }' | pfctl -nvf - So yes it is definitely advisable to use an explicit table here.