Michael T. Davis
2011-12-12 16:09:43 UTC
At 12:58:55.78 on 11-DEC-2011 in message
using address lists, but there was a reference from Darren about the ability
to list interfaces "just like addresses" (or words to that effect), along
with an example that looked something like...
block in quick on (xl0 xl1)...
So, aomng others, I now have a "macro" in ipf.conf that handles our subnets:
OURNETS = "( .../22, .../24 )";
So references to $OURNETS now work as desired, and allow me to consolidate
the rules that cited the subnets separately. I can, of course, deal with
the address list directly:
block in quick on fxp0 from any to ( .../22, .../24 ) ...
The source where I found the code in ipf_y.y dealing with address
lists was from v4.1.15, so I can't say for sure whether this is available in
anything older than that. (Though I'm fairly certain [but I won't swear to
it] that the reference I found from Darren about interface lists might have
pre-dated this version.)
I offer this so there is a specific citation in the mailing list
archive to "address lists," in case anyone else might find the feature
useful. The information might also be a useful addition to the FAQ, where
address pools can slso be discussed when you're dealing with "large" sets
of addresses (and when you need _some_ negated addresses), and address lists
can be used for a small set of addresses, all of which you want to handle in
the same way.
Regards,
Mike
I have IPFilter v4.1.29 running under NetBSD 5.1 (release). From
looking at ipf_y.y, I _think_ ipf.conf supports address lists, e.g...
block in quick on fxp0 from any to ( .../22, .../24 ) port = ...
As ipf.conf is read/processed, this would presumably be treated as...
block in quick on fxp0 from any to .../22 port = ...
block in quick on fxp0 from any to .../24 port = ...
I have searched the FAQ, the mailing list archive at marc.info and the man
pages, but I can't find anything that documents this (aside from the source,
if I'm parsing it correctly). Is the above synopsis essentially correct, or
are pools the only way to implement this functionality? I'd like to avoid
pools, if necessary, since I only have a couple address ranges to worry
about (actually as cited in the exmaple), and the booting process for NetBSD
does not yet properly support loading pools at boot time. (I hope this will
be corrected in a future NetBSD release.)
[...]
I never found a reference in the mailing list archive that documentslooking at ipf_y.y, I _think_ ipf.conf supports address lists, e.g...
block in quick on fxp0 from any to ( .../22, .../24 ) port = ...
As ipf.conf is read/processed, this would presumably be treated as...
block in quick on fxp0 from any to .../22 port = ...
block in quick on fxp0 from any to .../24 port = ...
I have searched the FAQ, the mailing list archive at marc.info and the man
pages, but I can't find anything that documents this (aside from the source,
if I'm parsing it correctly). Is the above synopsis essentially correct, or
are pools the only way to implement this functionality? I'd like to avoid
pools, if necessary, since I only have a couple address ranges to worry
about (actually as cited in the exmaple), and the booting process for NetBSD
does not yet properly support loading pools at boot time. (I hope this will
be corrected in a future NetBSD release.)
[...]
using address lists, but there was a reference from Darren about the ability
to list interfaces "just like addresses" (or words to that effect), along
with an example that looked something like...
block in quick on (xl0 xl1)...
So, aomng others, I now have a "macro" in ipf.conf that handles our subnets:
OURNETS = "( .../22, .../24 )";
So references to $OURNETS now work as desired, and allow me to consolidate
the rules that cited the subnets separately. I can, of course, deal with
the address list directly:
block in quick on fxp0 from any to ( .../22, .../24 ) ...
The source where I found the code in ipf_y.y dealing with address
lists was from v4.1.15, so I can't say for sure whether this is available in
anything older than that. (Though I'm fairly certain [but I won't swear to
it] that the reference I found from Darren about interface lists might have
pre-dated this version.)
I offer this so there is a specific citation in the mailing list
archive to "address lists," in case anyone else might find the feature
useful. The information might also be a useful addition to the FAQ, where
address pools can slso be discussed when you're dealing with "large" sets
of addresses (and when you need _some_ negated addresses), and address lists
can be used for a small set of addresses, all of which you want to handle in
the same way.
Regards,
Mike