[pf4freebsd] Re: Whitelist IPs via pf 1.61

Mo mo at qubix.ca
Wed Sep 15 20:46:05 PDT 2004 

Thanks very much for the assistance, I am just waiting for the guy to try it
out.  I e-mailed him and hopefully he will try it tomorrow morning and let
me know.  I really appreciate your enthusiasm and going above and beyond
when answering my question.

Thanks again


On Saturday, 16 August 2003 at  5:18:05 +0200, Max Laier wrote:
> Forgot to tell about the best part:
> This gives you per-table-entry accounting, meaning that:
> #pfctl -vt surfers -Tshow    #note the -v flag
> will give you detailed output about every entries activities, so you can
> interfere if someone surfes too much.
> 
> > This can be done in various ways, the most powerfull and yet easy way is
> to
> > use a table:
> >
> > >>> pf.conf <<<
> > table <sufers> persist file "/etc/port80.allow"
> >
> > # block here
> >
> > pass out on $ext_if from <surfers> to any port 80
> > >>> pf.conf <<<
> >
> > This will read all the entries in /etc/port80.allow to the table as you
> load
> > the ruleset. You can add hosts or subnets temporaly by issueing:
> > #pfctl -t surfers -Tadd 65.192.5.1        or
> > #pfctl -t surfers -Tadd 66.192.5.0/24
> > You can even add negated entries, if you want to allow a whole subnet, but
> > one or two hosts:
> > #pfctl -t surfers -Tadd 65.192.6.0/24
> > #pfctl -t surfers -Tadd !65.192.6.13
> > will allow all hosts from 65.192.6.0/24 but disallow 65.192.6.13
> > The contens of the table can be viewed by:
> > #pfctl -t surfers -Tshow
> >
> > More information at:
> > pfctl(8)
> >
> http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&manpath=OpenBSD+3.3
> > pf.conf(5)
> >
> http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+3.3
> > And the pf-faq:
> > http://www.openbsd.org/faq/pf/tables.html
> >
> > > Hello.  This is my first time posting to this mailing list, but it looks
> > > like I would probably get some good ideas/answers here.  Anyway, I have
> > > a specific subnet (65.192.x.x) blocked from accessing port 80, but I
> > > want to "whitelist" (if that is the proper term) and have it be able to
> > > access port 80.  So basically, I want the whole subnet blocked still,
> > > except if I can whitelist one IP to allow traffic to/from port 80 from
> > > it.  Is this possible?  I'm running pf 1.61 and FreeBSD 5.1-CURRENT
> > > (last rebuilt world on Aug. 15, 2003).
> > >
> > > Thanks
> 
>

More information about the freebsd-pf mailing list