Re: OpenBSD PF tables
On Thu, Dec 8, 2011 at 11:00 PM, Peter N. M. Hansteen wrote:
> On Thu, Dec 08, 2011 at 10:11:19PM +1100, John Tate wrote:
> > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > packets, I am gradually upgrading my pf.conf. I am having trouble with
> this
> > configuration (ignore some obvious bugs related to table names where
> tables
> > are defined and the rules I have seen them).
>
> what are those obvious bugs? please describe in detail.
>
Ignore them, that refers to mistakes of mine (the names on the tables
differs from the names in the rules)
>
> > At the moment I am working on doing some things as tables. I want tables
> to
> > hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> > following tables do not work from line 10-11...
>
> from man pf.conf:
>
> TABLES
> Tables are named structures which can hold a collection of addresses
> and
> networks. Lookups against tables in pf(4) are relatively fast, making
> a
> single rule with tables much more efficient, in terms of processor
> usage
> and memory consumption, than a large number of rules which differ only
> in
> IP address (either created explicitly or automatically by rule
> expansion).
>
>
> > table { 22 }
> > table { 22, 53 }
>
> this is what macros are for:
>
> etcpserv = { 22 }
> itcpserv = { 22, 53 }
>
> Other parts of your config uses tables correctly. You may want to browse
> the PF faq, with http://home.nuug.no/~peter/pf/en/ or the book it spawned
> (http://www.nostarch.com/pf2.htm) as a useful supplement.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>
--
www.johntate.org
Re: OpenBSD PF tables
i would concur that anchors are cleaner than redefining macros, but
they do require rewriting rules
On Thu, Dec 8, 2011 at 7:23 AM, Bret S. Lambert wrote:
> Take a look at pf anchors.
>
> On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
>> Is there a way to control ports on a filter from the command line? I guess
>> I just have manually adding and deleting rules.
>>
>> On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera wrote:
>>
>> > the documentation is pretty clear by saying that tables can only hold
>> > addresses, not a random set of numbers
>> >
>> > On Thu, Dec 8, 2011 at 6:41 AM, John Tate wrote:
>> > > Misc,
>> > >
>> > > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
>> > > packets, I am gradually upgrading my pf.conf. I am having trouble with
>> > this
>> > > configuration (ignore some obvious bugs related to table names where
>> > tables
>> > > are defined and the rules I have seen them).
>> > >
>> > > At the moment I am working on doing some things as tables. I want tables
>> > to
>> > > hold the ports, but it appears perhaps they can only hold IP addresses.
>> > The
>> > > following tables do not work from line 10-11...
>> > >
>> > > table { 22 }
>> > > table { 22, 53 }
>> > >
>> > > The whole thing is here: http://pastebin.com/VuLNW9Ph
>> > >
>> > > John Tate
>> > >
>> > > --
>> > > www.johntate.org
>> > >
>> >
>>
>>
>>
>> --
>> www.johntate.org
Re: OpenBSD PF tables
On Thu, Dec 08, 2011 at 10:11:19PM +1100, John Tate wrote:
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).
what are those obvious bugs? please describe in detail.
> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...
from man pf.conf:
TABLES
Tables are named structures which can hold a collection of addresses and
networks. Lookups against tables in pf(4) are relatively fast, making a
single rule with tables much more efficient, in terms of processor usage
and memory consumption, than a large number of rules which differ only in
IP address (either created explicitly or automatically by rule
expansion).
> table { 22 }
> table { 22, 53 }
this is what macros are for:
etcpserv = { 22 }
itcpserv = { 22, 53 }
Other parts of your config uses tables correctly. You may want to browse
the PF faq, with http://home.nuug.no/~peter/pf/en/ or the book it spawned
(http://www.nostarch.com/pf2.htm) as a useful supplement.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD PF tables
On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote: > Is there a way to control ports on a filter from the command line? I guess > I just have manually adding and deleting rules. the cycle $ sudo mg /etc/pf.conf $ sudo pfctl -vf /etc/pf.conf doesn't take terribly long to begin with, but you could possibly achieve what you want by putting your rules inside anchors and then do whatever manipulations you want to rules in the anchors from the command line. man pf.conf and man pfctl are your friends. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD PF tables
Take a look at pf anchors.
On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
> Is there a way to control ports on a filter from the command line? I guess
> I just have manually adding and deleting rules.
>
> On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera wrote:
>
> > the documentation is pretty clear by saying that tables can only hold
> > addresses, not a random set of numbers
> >
> > On Thu, Dec 8, 2011 at 6:41 AM, John Tate wrote:
> > > Misc,
> > >
> > > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > > packets, I am gradually upgrading my pf.conf. I am having trouble with
> > this
> > > configuration (ignore some obvious bugs related to table names where
> > tables
> > > are defined and the rules I have seen them).
> > >
> > > At the moment I am working on doing some things as tables. I want tables
> > to
> > > hold the ports, but it appears perhaps they can only hold IP addresses.
> > The
> > > following tables do not work from line 10-11...
> > >
> > > table { 22 }
> > > table { 22, 53 }
> > >
> > > The whole thing is here: http://pastebin.com/VuLNW9Ph
> > >
> > > John Tate
> > >
> > > --
> > > www.johntate.org
> > >
> >
>
>
>
> --
> www.johntate.org
Re: OpenBSD PF tables
You could use macro instead of table for port.
Michel
2011/12/8 John Tate
> Misc,
>
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).
>
> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...
>
> table { 22 }
> table { 22, 53 }
>
> The whole thing is here: http://pastebin.com/VuLNW9Ph
>
> John Tate
>
> --
> www.johntate.org
Re: OpenBSD PF tables
define the list of ports as a macro and use pfctl -D
not much adding as it is replacing the whole list:
$ echo 'pass proto udp from port $pl' | pfctl -nvf- -Dpl='{1 2 3}'
pass proto udp from any port = 1 to any
pass proto udp from any port = 2 to any
pass proto udp from any port = 3 to any
On Thu, Dec 8, 2011 at 6:45 AM, John Tate wrote:
> Is there a way to have it so I can add ports from the command line if I
> can't use tables?
>
> On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler wrote:
>
>> Yes, tables in PF only support IP addresses.
>>
>>
>> On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote:
>> :At the moment I am working on doing some things as tables. I want tables
>> to
>> :hold the ports, but it appears perhaps they can only hold IP addresses.
>> The
>> :following tables do not work from line 10-11...
>>
>> --
>> Renning's Maxim:
>> B B B B Man is the highest animal. B Man does the classifying.
>>
>
>
>
> --
> www.johntate.org
Re: OpenBSD PF tables
Is there a way to control ports on a filter from the command line? I guess
I just have manually adding and deleting rules.
On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera wrote:
> the documentation is pretty clear by saying that tables can only hold
> addresses, not a random set of numbers
>
> On Thu, Dec 8, 2011 at 6:41 AM, John Tate wrote:
> > Misc,
> >
> > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > packets, I am gradually upgrading my pf.conf. I am having trouble with
> this
> > configuration (ignore some obvious bugs related to table names where
> tables
> > are defined and the rules I have seen them).
> >
> > At the moment I am working on doing some things as tables. I want tables
> to
> > hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> > following tables do not work from line 10-11...
> >
> > table { 22 }
> > table { 22, 53 }
> >
> > The whole thing is here: http://pastebin.com/VuLNW9Ph
> >
> > John Tate
> >
> > --
> > www.johntate.org
> >
>
--
www.johntate.org
Re: OpenBSD PF tables
the documentation is pretty clear by saying that tables can only hold
addresses, not a random set of numbers
On Thu, Dec 8, 2011 at 6:41 AM, John Tate wrote:
> Misc,
>
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).
>
> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...
>
> table { 22 }
> table { 22, 53 }
>
> The whole thing is here: http://pastebin.com/VuLNW9Ph
>
> John Tate
>
> --
> www.johntate.org
Re: OpenBSD PF tables
Is there a way to have it so I can add ports from the command line if I can't use tables? On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler wrote: > Yes, tables in PF only support IP addresses. > > > On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote: > :At the moment I am working on doing some things as tables. I want tables > to > :hold the ports, but it appears perhaps they can only hold IP addresses. > The > :following tables do not work from line 10-11... > > -- > Renning's Maxim: >Man is the highest animal. Man does the classifying. > -- www.johntate.org
Re: OpenBSD PF tables
Yes, tables in PF only support IP addresses. On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote: :At the moment I am working on doing some things as tables. I want tables to :hold the ports, but it appears perhaps they can only hold IP addresses. The :following tables do not work from line 10-11... -- Renning's Maxim: Man is the highest animal. Man does the classifying.
OpenBSD PF tables
Misc,
I have sucessfully got an OpenBSD machine to connect via ADSL and forward
packets, I am gradually upgrading my pf.conf. I am having trouble with this
configuration (ignore some obvious bugs related to table names where tables
are defined and the rules I have seen them).
At the moment I am working on doing some things as tables. I want tables to
hold the ports, but it appears perhaps they can only hold IP addresses. The
following tables do not work from line 10-11...
table { 22 }
table { 22, 53 }
The whole thing is here: http://pastebin.com/VuLNW9Ph
John Tate
--
www.johntate.org
