replacement for nested tables?
Tobias Ernst
tobi at casino.uni-stuttgart.de
Tue Sep 4 12:18:30 PDT 2007
Hi!
I am setting up a bridging firewall on FreeBSD 6.2 that has, among
others three interfaces: one for the internal LAN and two demilitarized
zones sharing the same subnet.
Now I want to have a convenient way to refer to any machine that is not
in one of the demilitarized zones. Here is my first shot:
# DMZ #1
DMZ1 = "192.168.1.3, 192.168.1.4"
table <dmz1_table> { $DMZ1 }
# DMZ #2
DMZ2 = "192.168.1.5, 192.168.1.6"
table <dmz2_table> { $DMZ2 }
# The internal lan
table <int_table> { 192.168.1.0/24, !<dmz1_table>, !<dmz2_table> }
This fails because nested tables are not supported. Sort of makes sense.
My next shot was
table <int_table> { 192.168.1.0/24, !$DMZ1, !$DMZ2 }
but this gives the wrong result because the "!" operator is only applied
to the first element in "DMZ1".
Is there any way to populate <int_table> with all IP addresses that are
/not/ in DMZ1 or DMZ2 without having to explictly repeat the addresses
of the machines in each DMZ?
I would prefer not to have any redundant "points of editing" in my pf.conf.
TIA
Tobias
More information about the freebsd-pf
mailing list