Valid statement in pf.conf?
solarflux.org/pf
pf-r at solarflux.org
Tue Feb 8 19:16:19 PST 2005
Doug Van Allen wrote:
> Is this valid:
>
> <b>pass in on $ext_if proto tcp from 151.103.xxx.xxx-151.103.xxx.xxx
> to $ext_if port 22 keep state</b>
>
> I used x's only to hide the other part of the ip address. I need to
> let in a range of ip's like, 192.168.0.1-192.168.32.254.
No. Are you trying to let in an entire subnet or a range of IPs that do
not consist of an entire subnet?
If you want to let an entire subnet in, you can use, for example:
pass in on $ext_if proto tcp from 151.103.50.96/28 to $ext_if port 22 \
keep state
This lets 151.103.50.96 - 151.103.50.111 pass (really .97-.110).
If you want to use a range that is not an entire subnet, you could use a
macro with each IP listed:
$sshallowed = "{ 151.103.50.98, 151.103.50.99, 151.103.50.100 }"
The pass rule would then be:
pass in on $ext_if proto tcp from $sshallowed to $ext_if port 22 \
keep state
An alternative would be to use a table with each IP listed, either
inclusive or in a separate file. Inclusive example:
table <sshallowed> persist { 151.103.50.98, 151.103.50.99, \
151.103.50.100 }
Pass rule:
pass in on $ext_if proto tcp from <sshallowed> to $ext_if port 22 \
keep state
Separate file example:
table <sshallowed> persist file "/etc/pf.sshallowed"
The file /etc/pf.sshallowed would consist of all the IP addresses, but
only one IP address per line:
151.103.50.98
151.103.50.99
151.103.50.100
Same pass rule as the inclusive example.
HTH
-S
More information about the freebsd-pf
mailing list