info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Address lists (resolved)
1 view
Skip to first unread message
Michael T. Davis
Dec 12, 2011, 11:09:43 AM12/12/11
to
At 12:58:55.78 on 11-DEC-2011 in message
<12860_1323626211_4EE4EEE2_12860_12005_1_01O9GHDY7NQQ94CX04@ecr6.\
ohio-state.edu>, I wrote:
> I have IPFilter v4.1.29 running under NetBSD 5.1 (release). From
>looking at ipf_y.y, I _think_ ipf.conf supports address lists, e.g...
>
> block in quick on fxp0 from any to ( .../22, .../24 ) port = ...
>
>As ipf.conf is read/processed, this would presumably be treated as...
>
> block in quick on fxp0 from any to .../22 port = ...
> block in quick on fxp0 from any to .../24 port = ...
>
>I have searched the FAQ, the mailing list archive at marc.info and the man
>pages, but I can't find anything that documents this (aside from the source,
>if I'm parsing it correctly). Is the above synopsis essentially correct, or
>are pools the only way to implement this functionality? I'd like to avoid
>pools, if necessary, since I only have a couple address ranges to worry
>about (actually as cited in the exmaple), and the booting process for NetBSD
>does not yet properly support loading pools at boot time. (I hope this will
>be corrected in a future NetBSD release.)
>[...]
I never found a reference in the mailing list archive that documents
using address lists, but there was a reference from Darren about the ability
to list interfaces "just like addresses" (or words to that effect), along
with an example that looked something like...
block in quick on (xl0 xl1)...
So, aomng others, I now have a "macro" in ipf.conf that handles our subnets:
OURNETS = "( .../22, .../24 )";
So references to $OURNETS now work as desired, and allow me to consolidate
the rules that cited the subnets separately. I can, of course, deal with
the address list directly:
block in quick on fxp0 from any to ( .../22, .../24 ) ...
The source where I found the code in ipf_y.y dealing with address
lists was from v4.1.15, so I can't say for sure whether this is available in
anything older than that. (Though I'm fairly certain [but I won't swear to
it] that the reference I found from Darren about interface lists might have
pre-dated this version.)
I offer this so there is a specific citation in the mailing list
archive to "address lists," in case anyone else might find the feature
useful. The information might also be a useful addition to the FAQ, where
address pools can slso be discussed when you're dealing with "large" sets
of addresses (and when you need _some_ negated addresses), and address lists
can be used for a small set of addresses, all of which you want to handle in
the same way.
Regards,
Mike
Joseph Tam
Dec 12, 2011, 10:27:02 PM12/12/11
to
On Mon, 12 Dec 2011, Michael T. Davis wrote:
> The source where I found the code in ipf_y.y dealing with address
> lists was from v4.1.15, so I can't say for sure whether this is available in
> anything older than that. (Though I'm fairly certain [but I won't swear to
> it] that the reference I found from Darren about interface lists might have
> pre-dated this version.)
Thanks for the tip. I found it useful to clean up our rule file.
> The source where I found the code in ipf_y.y dealing with address
> lists was from v4.1.15, so I can't say for sure whether this is available in
> anything older than that. (Though I'm fairly certain [but I won't swear to
> it] that the reference I found from Darren about interface lists might have
> pre-dated this version.)
I can confirm that it works with the IPF distributed by Solaris10:
# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
The output of ipfstat suggest this is just a macro expansion: it results
in separate distinct rules.
Joseph Tam <t...@math.ubc.ca>
0 new messages