[pf4freebsd] Re: Whitelist IPs via pf 1.61
Max Laier
max at love2party.net
Wed Sep 15 20:45:35 PDT 2004
This can be done in various ways, the most powerfull and yet easy way is to
use a table:
>>> pf.conf <<<
table <sufers> persist file "/etc/port80.allow"
# block here
pass out on $ext_if from <surfers> to any port 80
>>> pf.conf <<<
This will read all the entries in /etc/port80.allow to the table as you load
the ruleset. You can add hosts or subnets temporaly by issueing:
#pfctl -t surfers -Tadd 65.192.5.1 or
#pfctl -t surfers -Tadd 66.192.5.0/24
You can even add negated entries, if you want to allow a whole subnet, but
one or two hosts:
#pfctl -t surfers -Tadd 65.192.6.0/24
#pfctl -t surfers -Tadd !65.192.6.13
will allow all hosts from 65.192.6.0/24 but disallow 65.192.6.13
The contens of the table can be viewed by:
#pfctl -t surfers -Tshow
More information at:
pfctl(8)
http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&manpath=OpenBSD+3.3
pf.conf(5)
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+3.3
And the pf-faq:
http://www.openbsd.org/faq/pf/tables.html
> Hello. This is my first time posting to this mailing list, but it looks
> like I would probably get some good ideas/answers here. Anyway, I have
> a specific subnet (65.192.x.x) blocked from accessing port 80, but I
> want to "whitelist" (if that is the proper term) and have it be able to
> access port 80. So basically, I want the whole subnet blocked still,
> except if I can whitelist one IP to allow traffic to/from port 80 from
> it. Is this possible? I'm running pf 1.61 and FreeBSD 5.1-CURRENT
> (last rebuilt world on Aug. 15, 2003).
>
> Thanks
>
>
>
>
More information about the freebsd-pf
mailing list