pf rule macro help ...

Matthew Grooms mgrooms at seton.org
Wed Apr 13 17:02:25 PDT 2005 

Hello all,

I am migrating a largish ruleset from checkpoint to freebsd/pf and am 
having a problem trying to write some nested macros. The example from 
the pf website that nests macros seems to work fine ...

host1 = "192.168.1.1"
host2 = "192.168.1.2"
all_hosts = "{" $host1 $host2 "}"

... but if I try to nest two macros that define networks ...

net1 = "192.168.1.0/24"
net2 = "192.168.2.0/24"
all_nets = "{" $net1 "," $net2 "}"

... I always get a syntax error on the "all_nets =" line. What am I 
doing wrong here?

----- warning, wishful thinking below -----

Also, are there any plans to support nested tables or is there some 
technical argument against it. Life would be so much easier when trying 
to organize large groups of networks and hosts. ie ...

# Office one networks
table <office1-nets> { 10.1.1.0/24, 10.2.1.0/24, etc ... }

# Office two networks
table <office2-nets> { 10.3.1.0/24, 10.4.1.0/24, etc ... }

# all internal networks
table <internal-nets> { <office1-nets>, <office2-nets> }

# anti spoof
block drop in log quick on $ext_if from <internal-nets> to any

Writing a small rule set is simple in pf.conf but trying to write a 
larger script that is easy to read and self documented is kind of 
difficult. You have to write all comments before or after a multi-line 
table or macro because of the esc char. ie ...

# mail servers 1 - 2
# web servers 1 - 4
# ftp servers 1 - 4
etc ...
table <my-dmz-hosts> { \
   10.1.1.1, 10.1.1.2,  \
   10.1.1.3, 10.1.1.4, 10.1.1.5, 10.1.1.6, \
   10.1.1.7, 10.1.1.8, 10.1.1.9, 10.1.1.10, \
   etc ...
}

I know you can use dns names and have pf resolve them at load time which 
does make things a bit easier to read. But then you have to worry about 
loosing connectivity with your dns server when you need to reload rules. 
IMHO, it would have been better if pfctl acted more like a c parser 
where you have a terminating char so that inline comments could be used 
and escapes would be unnecessary. ie ...

table <my-dmz-hosts>
{
     10.1.1.1,	# mail1.blah.org
     10.1.1.2,	# mail2.blah.org
     10.1.1.3,	# web1.blah.org
     10.1.1.4,	# web2.blah.org
     10.1.1.5,	# web3.blah.org
     10.1.1.6,	# web4.blah.org
     10.1.1.7,	# ftp1.blah.org
     10.1.1.8,	# ftp2.blah.org
     10.1.1.9,	# ftp3.blah.org
     10.1.1.10,	# ftp4.blah.org
     etc ...
};

# make sure I can manage my dmz hosts
pass quick proto tcp from $admin to <my-dmz-hosts> port ssh;

-Matthew

More information about the freebsd-pf mailing list