On 2020-05-04 19:23, Stuart Henderson wrote:
> On 2020-05-04, Marko Cupać <marko.cupac@mimar.rs> wrote:
>> Hi,
>>
>> I'd like to create pf table "all publicly routable ipv4 addresses". Is
>> this possible with some short syntax?
>>
>> Thank you in advance.
>>
>
> something like this?
>
> # https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
> table <routable> {
> !0.0.0.0/8
> !10.0.0.0/8
> !100.64.0.0/10
> !127.0.0.0/8
> !169.254.0.0/16
> !172.16.0.0/12
> !192.0.0.0/24
> !192.0.2.0/24
> !192.168.0.0/16
> !198.18.0.0/15
> !198.51.100.0/24
> !203.0.113.0/24
> !224.0.0.0/3
> }
Yes. I want to have the opposite of <martians> table described in pf
faq:
https://www.openbsd.org/faq/pf/example1.html#pf
...so I can permit hosts on guest vlan access Internet hosts, but not
hosts on other private vlans similar to:
block log all
pass in on $guest_vlan from $guest_vlan:network to <routable>
However, this apparently doesn't work. If I tested well, your <routable>
table expands to "no addresses", not "all addresses but those".
I thought I could do such table like this:
table <routable> { 0.0.0.0/0 \
!0.0.0.0/8 \
...
!224.0.0.0/3 }
...but https://www.openbsd.org/faq/pf/tables.html#addr states that "One
limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not
work in tables".
I know I can solve this by reordering rules, and using block instead of
pass, but I'd really like to have a table of all publicly routable ip
addresses in pf.
Regards,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
No comments:
Post a Comment