Stuart,
Thanks for the feedback. The warning about list expansion is
appreciated I was aware of the downside.
It seemed to be an error in the parser to me, but I'd have to review
the grammar again. Ah yes no negation in the grammar for 'protospec' or
proto-list !!!
I've moved past simple block / allow and am trying to add 'forensic'
rules that generate log data that I can perform some low level analysis
against. I have not found documentation that clearly states that a block rule
such as you suggest:
block on $int inet
will also effectively block all non-ip protocols. I assume that it does.
> On Nov 23, 2017, at 2:21 AM, Stuart Henderson <[email protected]> wrote:
>
> On 2017/11/21 12:21, S. Donaldson wrote:
>> Applies to stable:
>>
>> OpenBSD 6.1 GENERIC.MP amd64
>>
>> and stable
>>
>> OpenBSD 6.2 GENERIC.MP amd64
>>
>>
>> pf rules that block using the proto key work with a negation fail with a
>> syntax error.
>>
>> block on $int inet proto ! tcp
>
> I think you'll just need two rules for that:
>
> block on $int inet
> pass on $int inet proto tcp
>
>> and list based negations also fail
>>
>> block on $int inet proto ! { tcp udp }
>>
>> with a syntax error.
>
> Beware of list negations! If this was allowed it would expand to this:
>
> block on $int inet proto ! tcp
> block on $int inet proto ! udp
>
> Which is not what you want.
>
> It may seem to work in some cases with a list of IP addresses as the
> ruleset optimizer will convert them to a table if there are enough
> addresses, but this is dangerous as if you remove enough addresses it
> will start to do the wrong thing.
>
> In general avoid negation with lists.
Scott Donaldson
IS Manager
SED Systems a division of Calian Ltd.
Saskatoon, SK
Canada
Office Phone: 306-933-1577
