OpenBSD PF tables

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD PF tables

John Tate-8
Misc,

I have sucessfully got an OpenBSD machine to connect via ADSL and forward
packets, I am gradually upgrading my pf.conf. I am having trouble with this
configuration (ignore some obvious bugs related to table names where tables
are defined and the rules I have seen them).

At the moment I am working on doing some things as tables. I want tables to
hold the ports, but it appears perhaps they can only hold IP addresses. The
following tables do not work from line 10-11...

table <etcpserv> { 22 }
table <itcpserv> { 22, 53 }

The whole thing is here: http://pastebin.com/VuLNW9Ph

John Tate

--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Peter Hessler
Yes, tables in PF only support IP addresses.


On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote:
:At the moment I am working on doing some things as tables. I want tables to
:hold the ports, but it appears perhaps they can only hold IP addresses. The
:following tables do not work from line 10-11...

--
Renning's Maxim:
        Man is the highest animal.  Man does the classifying.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

John Tate-8
Is there a way to have it so I can add ports from the command line if I
can't use tables?

On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler <[hidden email]> wrote:

> Yes, tables in PF only support IP addresses.
>
>
> On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote:
> :At the moment I am working on doing some things as tables. I want tables
> to
> :hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> :following tables do not work from line 10-11...
>
> --
> Renning's Maxim:
>        Man is the highest animal.  Man does the classifying.
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Andres Perera-4
In reply to this post by John Tate-8
the documentation is pretty clear by saying that tables can only hold
addresses, not a random set of numbers

On Thu, Dec 8, 2011 at 6:41 AM, John Tate <[hidden email]> wrote:

> Misc,
>
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).
>
> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...
>
> table <etcpserv> { 22 }
> table <itcpserv> { 22, 53 }
>
> The whole thing is here: http://pastebin.com/VuLNW9Ph
>
> John Tate
>
> --
> www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

John Tate-8
Is there a way to control ports on a filter from the command line? I guess
I just have manually adding and deleting rules.

On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera <[hidden email]> wrote:

> the documentation is pretty clear by saying that tables can only hold
> addresses, not a random set of numbers
>
> On Thu, Dec 8, 2011 at 6:41 AM, John Tate <[hidden email]> wrote:
> > Misc,
> >
> > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > packets, I am gradually upgrading my pf.conf. I am having trouble with
> this
> > configuration (ignore some obvious bugs related to table names where
> tables
> > are defined and the rules I have seen them).
> >
> > At the moment I am working on doing some things as tables. I want tables
> to
> > hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> > following tables do not work from line 10-11...
> >
> > table <etcpserv> { 22 }
> > table <itcpserv> { 22, 53 }
> >
> > The whole thing is here: http://pastebin.com/VuLNW9Ph
> >
> > John Tate
> >
> > --
> > www.johntate.org
> >
>



--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Andres Perera-4
In reply to this post by John Tate-8
define the list of ports as a macro and use pfctl -D

not much adding as it is replacing the whole list:
$ echo 'pass proto udp from port $pl' | pfctl -nvf- -Dpl='{1 2 3}'
pass proto udp from any port = 1 to any
pass proto udp from any port = 2 to any
pass proto udp from any port = 3 to any

On Thu, Dec 8, 2011 at 6:45 AM, John Tate <[hidden email]> wrote:

> Is there a way to have it so I can add ports from the command line if I
> can't use tables?
>
> On Thu, Dec 8, 2011 at 10:14 PM, Peter Hessler <[hidden email]> wrote:
>
>> Yes, tables in PF only support IP addresses.
>>
>>
>> On 2011 Dec 08 (Thu) at 22:11:19 +1100 (+1100), John Tate wrote:
>> :At the moment I am working on doing some things as tables. I want tables
>> to
>> :hold the ports, but it appears perhaps they can only hold IP addresses.
>> The
>> :following tables do not work from line 10-11...
>>
>> --
>> Renning's Maxim:
>> B  B  B  B Man is the highest animal. B Man does the classifying.
>>
>
>
>
> --
> www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Michel Blais-2
In reply to this post by John Tate-8
You could use macro instead of table for port.

Michel

2011/12/8 John Tate <[hidden email]>

> Misc,
>
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).
>
> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...
>
> table <etcpserv> { 22 }
> table <itcpserv> { 22, 53 }
>
> The whole thing is here: http://pastebin.com/VuLNW9Ph
>
> John Tate
>
> --
> www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Bret S. Lambert-2
In reply to this post by John Tate-8
Take a look at pf anchors.

On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:

> Is there a way to control ports on a filter from the command line? I guess
> I just have manually adding and deleting rules.
>
> On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera <[hidden email]> wrote:
>
> > the documentation is pretty clear by saying that tables can only hold
> > addresses, not a random set of numbers
> >
> > On Thu, Dec 8, 2011 at 6:41 AM, John Tate <[hidden email]> wrote:
> > > Misc,
> > >
> > > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > > packets, I am gradually upgrading my pf.conf. I am having trouble with
> > this
> > > configuration (ignore some obvious bugs related to table names where
> > tables
> > > are defined and the rules I have seen them).
> > >
> > > At the moment I am working on doing some things as tables. I want tables
> > to
> > > hold the ports, but it appears perhaps they can only hold IP addresses.
> > The
> > > following tables do not work from line 10-11...
> > >
> > > table <etcpserv> { 22 }
> > > table <itcpserv> { 22, 53 }
> > >
> > > The whole thing is here: http://pastebin.com/VuLNW9Ph
> > >
> > > John Tate
> > >
> > > --
> > > www.johntate.org
> > >
> >
>
>
>
> --
> www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Peter Nicolai Mathias Hansteen
In reply to this post by John Tate-8
On Thu, Dec 08, 2011 at 10:11:19PM +1100, John Tate wrote:
> I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> packets, I am gradually upgrading my pf.conf. I am having trouble with this
> configuration (ignore some obvious bugs related to table names where tables
> are defined and the rules I have seen them).

what are those obvious bugs? please describe in detail.

> At the moment I am working on doing some things as tables. I want tables to
> hold the ports, but it appears perhaps they can only hold IP addresses. The
> following tables do not work from line 10-11...

from man pf.conf:

TABLES
     Tables are named structures which can hold a collection of addresses and
     networks.  Lookups against tables in pf(4) are relatively fast, making a
     single rule with tables much more efficient, in terms of processor usage
     and memory consumption, than a large number of rules which differ only in
     IP address (either created explicitly or automatically by rule
     expansion).


> table <etcpserv> { 22 }
> table <itcpserv> { 22, 53 }

this is what macros are for:

etcpserv =  { 22 }
itcpserv = { 22, 53 }

Other parts of your config uses tables correctly.  You may want to browse
the PF faq, with http://home.nuug.no/~peter/pf/en/ or the book it spawned
(http://www.nostarch.com/pf2.htm) as a useful supplement.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Andres Perera-4
In reply to this post by Bret S. Lambert-2
i would concur that anchors are cleaner than redefining macros, but
they do require rewriting rules

On Thu, Dec 8, 2011 at 7:23 AM, Bret S. Lambert <[hidden email]> wrote:

> Take a look at pf anchors.
>
> On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
>> Is there a way to control ports on a filter from the command line? I guess
>> I just have manually adding and deleting rules.
>>
>> On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera <[hidden email]> wrote:
>>
>> > the documentation is pretty clear by saying that tables can only hold
>> > addresses, not a random set of numbers
>> >
>> > On Thu, Dec 8, 2011 at 6:41 AM, John Tate <[hidden email]> wrote:
>> > > Misc,
>> > >
>> > > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
>> > > packets, I am gradually upgrading my pf.conf. I am having trouble with
>> > this
>> > > configuration (ignore some obvious bugs related to table names where
>> > tables
>> > > are defined and the rules I have seen them).
>> > >
>> > > At the moment I am working on doing some things as tables. I want tables
>> > to
>> > > hold the ports, but it appears perhaps they can only hold IP addresses.
>> > The
>> > > following tables do not work from line 10-11...
>> > >
>> > > table <etcpserv> { 22 }
>> > > table <itcpserv> { 22, 53 }
>> > >
>> > > The whole thing is here: http://pastebin.com/VuLNW9Ph
>> > >
>> > > John Tate
>> > >
>> > > --
>> > > www.johntate.org
>> > >
>> >
>>
>>
>>
>> --
>> www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

Peter Nicolai Mathias Hansteen
In reply to this post by John Tate-8
On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
> Is there a way to control ports on a filter from the command line? I guess
> I just have manually adding and deleting rules.

the cycle


$ sudo mg /etc/pf.conf
$ sudo pfctl -vf /etc/pf.conf

doesn't take terribly long to begin with, but you could possibly achieve what you want
by putting your rules inside anchors and then do whatever manipulations you want to
rules in the anchors from the command line.  man pf.conf and man pfctl are your friends.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD PF tables

John Tate-8
In reply to this post by Peter Nicolai Mathias Hansteen
On Thu, Dec 8, 2011 at 11:00 PM, Peter N. M. Hansteen <[hidden email]>wrote:

> On Thu, Dec 08, 2011 at 10:11:19PM +1100, John Tate wrote:
> > I have sucessfully got an OpenBSD machine to connect via ADSL and forward
> > packets, I am gradually upgrading my pf.conf. I am having trouble with
> this
> > configuration (ignore some obvious bugs related to table names where
> tables
> > are defined and the rules I have seen them).
>
> what are those obvious bugs? please describe in detail.
>
Ignore them, that refers to mistakes of mine (the names on the tables
differs from the names in the rules)

>
> > At the moment I am working on doing some things as tables. I want tables
> to
> > hold the ports, but it appears perhaps they can only hold IP addresses.
> The
> > following tables do not work from line 10-11...
>
> from man pf.conf:
>
> TABLES
>     Tables are named structures which can hold a collection of addresses
> and
>     networks.  Lookups against tables in pf(4) are relatively fast, making
> a
>     single rule with tables much more efficient, in terms of processor
> usage
>     and memory consumption, than a large number of rules which differ only
> in
>     IP address (either created explicitly or automatically by rule
>     expansion).
>
>
> > table <etcpserv> { 22 }
> > table <itcpserv> { 22, 53 }
>
> this is what macros are for:
>
> etcpserv =  { 22 }
> itcpserv = { 22, 53 }
>
> Other parts of your config uses tables correctly.  You may want to browse
> the PF faq, with http://home.nuug.no/~peter/pf/en/ or the book it spawned
> (http://www.nostarch.com/pf2.htm) as a useful supplement.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>


--
www.johntate.org