Negation in tables for packet filter
Erik Norgaard
norgaard at locolomo.org
Sun Jan 28 13:58:58 UTC 2007
Hi:
I want to create two tables in my packet filter, the first should match
any valid public ip, so I created a table negating anything reserved:
table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
So with the above I should be able to correctly NAT anything going to
the internet and the rest should not be NAT'ed - either it is locally
routable or should be blocked.
nat on $dsn_if from { <super> <users> <free> } \
to <internet> -> ($dsn_if)
This doesn't work as expected, instead I have to remove all negations in
the table and create a non-internet table and negate that in the nat
rule. Shouldn't they work equivalently? (I also want to use the
<internet> table in my filter rules, so I like to define a table).
The second should match unknown local hosts, I have three tables with
different registered hosts with different access levels, I want to
redirect unknown hosts to a page explaining what to do to get registered,
rdr on $wlan_if proto tcp from { $wlan_net !<super> !<users> !<free> } \
to <internet> port http -> 127.0.0.1 port 8000
This doesn't work either, the table is expanded to four rdr rules, and
they are applied before the nat - even if I place it after in the
ruleset, so I can't just remove the !<table> and have the rdr catch up
all that is not nat'ed in the previous nat-rule.
So, how do I create my nat rules so they work as expected - or that is,
that work as I want?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3408 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070128/b2263c5c/smime.bin
More information about the freebsd-questions
mailing list