Date: Sun, 28 Jan 2007 14:58:55 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: FreeBSD Questions <questions@freebsd.org> Subject: Negation in tables for packet filter Message-ID: <45BCAC1F.80701@locolomo.org>
next in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms030505080105070707040407
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi:
I want to create two tables in my packet filter, the first should match
any valid public ip, so I created a table negating anything reserved:
table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
So with the above I should be able to correctly NAT anything going to
the internet and the rest should not be NAT'ed - either it is locally
routable or should be blocked.
nat on $dsn_if from { <super> <users> <free> } \
to <internet> -> ($dsn_if)
This doesn't work as expected, instead I have to remove all negations in
the table and create a non-internet table and negate that in the nat
rule. Shouldn't they work equivalently? (I also want to use the
<internet> table in my filter rules, so I like to define a table).
The second should match unknown local hosts, I have three tables with
different registered hosts with different access levels, I want to
redirect unknown hosts to a page explaining what to do to get registered,
rdr on $wlan_if proto tcp from { $wlan_net !<super> !<users> !<free> } \
to <internet> port http -> 127.0.0.1 port 8000
This doesn't work either, the table is expanded to four rdr rules, and
they are applied before the nat - even if I place it after in the
ruleset, so I can't just remove the !<table> and have the rdr catch up
all that is not nat'ed in the previous nat-rule.
So, how do I create my nat rules so they work as expected - or that is,
that work as I want?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
--------------ms030505080105070707040407
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIK6DCC
BXAwggRYoAMCAQICBEVUK6IwDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCREsxDDAKBgNV
BAoTA1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0EwHhcNMDYxMTE1MDgzMTU0WhcNMDgxMTE1
MDkwMTU0WjB1MQswCQYDVQQGEwJESzEpMCcGA1UEChMgSW5nZW4gb3JnYW5pc2F0b3Jpc2sg
dGlsa255dG5pbmcxOzAUBgNVBAMUDUVyaWsgTvhyZ2FhcmQwIwYDVQQFExxQSUQ6OTgwMi0y
MDAyLTItNTQ0MzY5NzY5MzE1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1/K6+GVcF
UvoWJpyfhzWbu8qEOB8jU17A0dpmts7RT+ODkYq0lxJCcvvdSXNQQurvYwaPISA+EMRy+rIm
rjhoyxhsM9w/XC7gELqkr1XbGt3wR0KLr5ZcRfD4HqrWM1Eh1OYxTXKod6Ox/FAqzDAy91x8
XCZzsHtiBCdgMSYxqwIDAQABo4ICzjCCAsowDgYDVR0PAQH/BAQDAgP4MCsGA1UdEAQkMCKA
DzIwMDYxMTE1MDgzMTU0WoEPMjAwODExMTUwOTAxNTRaMIIBNwYDVR0gBIIBLjCCASowggEm
BgoqgVCBKQEBAQEDMIIBFjAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRr
L3JlcG9zaXRvcnkwgeIGCCsGAQUFBwICMIHVMAoWA1REQzADAgEBGoHGRm9yIGFudmVuZGVs
c2UgYWYgY2VydGlmaWthdGV0IGfmbGRlciBPQ0VTIHZpbGvlciwgQ1BTIG9nIE9DRVMgQ1As
IGRlciBrYW4gaGVudGVzIGZyYSB3d3cuY2VydGlmaWthdC5kay9yZXBvc2l0b3J5LiBCZW3m
cmssIGF0IFREQyBlZnRlciB2aWxr5XJlbmUgaGFyIGV0IGJlZ3LmbnNldCBhbnN2YXIgaWZ0
LiBwcm9mZXNzaW9uZWxsZSBwYXJ0ZXIuMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAYYl
aHR0cDovL29jc3AuY2VydGlmaWthdC5kay9vY3NwL3N0YXR1czAgBgNVHREEGTAXgRVub3Jn
YWFyZEBsb2NvbG9tby5vcmcwgYQGA1UdHwR9MHswS6BJoEekRTBDMQswCQYDVQQGEwJESzEM
MAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTEQMA4GA1UEAxMHQ1JMMTU1NzAs
oCqgKIYmaHR0cDovL2NybC5vY2VzLmNlcnRpZmlrYXQuZGsvb2Nlcy5jcmwwHwYDVR0jBBgw
FoAUYLWF7FZkfhIZJ2cdUBVLc647+RIwHQYDVR0OBBYEFPd+a0ceJ9JmK934UXsB3G0mjv+f
MAkGA1UdEwQCMAAwGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCA6gwDQYJKoZIhvcNAQEFBQAD
ggEBAE9KhX+l/ZcnhvGPhHyWnJspyCXSiuqZ+GlgMdcKXtlu8kXsqNzfDe9qSs93++zJS+HT
vAW0QgyIxjY1VpgCqgyjU8e2d2D1eSRMDB09WViZk8oZkvOy0Mq3yy//CLSw3gQbXNZF+Yt+
htss+FD+idACVyRBQqlcHuaxjguyzZkK0fGBN5H5nsklDySQCU7X0i3egeIiL7zlV3cjp9KT
12tNG4jfQTaSUzBkz0R+x+Jcdyp6AI9Qg3H1iGDDI58aCTY5ohQBpDsUcLr6U842IACNCeub
qDP6nDo5lnMEXwGH/RO8r4supCf5wrNRjqEX/vokUzB5QfDGtmxxZkycaaQwggVwMIIEWKAD
AgECAgRFVCuiMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMx
FDASBgNVBAMTC1REQyBPQ0VTIENBMB4XDTA2MTExNTA4MzE1NFoXDTA4MTExNTA5MDE1NFow
dTELMAkGA1UEBhMCREsxKTAnBgNVBAoTIEluZ2VuIG9yZ2FuaXNhdG9yaXNrIHRpbGtueXRu
aW5nMTswFAYDVQQDFA1FcmlrIE74cmdhYXJkMCMGA1UEBRMcUElEOjk4MDItMjAwMi0yLTU0
NDM2OTc2OTMxNTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtfyuvhlXBVL6Fiacn4c1
m7vKhDgfI1NewNHaZrbO0U/jg5GKtJcSQnL73UlzUELq72MGjyEgPhDEcvqyJq44aMsYbDPc
P1wu4BC6pK9V2xrd8EdCi6+WXEXw+B6q1jNRIdTmMU1yqHejsfxQKswwMvdcfFwmc7B7YgQn
YDEmMasCAwEAAaOCAs4wggLKMA4GA1UdDwEB/wQEAwID+DArBgNVHRAEJDAigA8yMDA2MTEx
NTA4MzE1NFqBDzIwMDgxMTE1MDkwMTU0WjCCATcGA1UdIASCAS4wggEqMIIBJgYKKoFQgSkB
AQEBAzCCARYwLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuY2VydGlmaWthdC5kay9yZXBvc2l0
b3J5MIHiBggrBgEFBQcCAjCB1TAKFgNUREMwAwIBARqBxkZvciBhbnZlbmRlbHNlIGFmIGNl
cnRpZmlrYXRldCBn5mxkZXIgT0NFUyB2aWxr5XIsIENQUyBvZyBPQ0VTIENQLCBkZXIga2Fu
IGhlbnRlcyBmcmEgd3d3LmNlcnRpZmlrYXQuZGsvcmVwb3NpdG9yeS4gQmVt5nJrLCBhdCBU
REMgZWZ0ZXIgdmlsa+VyZW5lIGhhciBldCBiZWdy5m5zZXQgYW5zdmFyIGlmdC4gcHJvZmVz
c2lvbmVsbGUgcGFydGVyLjBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9v
Y3NwLmNlcnRpZmlrYXQuZGsvb2NzcC9zdGF0dXMwIAYDVR0RBBkwF4EVbm9yZ2FhcmRAbG9j
b2xvbW8ub3JnMIGEBgNVHR8EfTB7MEugSaBHpEUwQzELMAkGA1UEBhMCREsxDDAKBgNVBAoT
A1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0ExEDAOBgNVBAMTB0NSTDE1NTcwLKAqoCiGJmh0
dHA6Ly9jcmwub2Nlcy5jZXJ0aWZpa2F0LmRrL29jZXMuY3JsMB8GA1UdIwQYMBaAFGC1hexW
ZH4SGSdnHVAVS3OuO/kSMB0GA1UdDgQWBBT3fmtHHifSZivd+FF7AdxtJo7/nzAJBgNVHRME
AjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgOoMA0GCSqGSIb3DQEBBQUAA4IBAQBPSoV/
pf2XJ4bxj4R8lpybKcgl0orqmfhpYDHXCl7ZbvJF7Kjc3w3vakrPd/vsyUvh07wFtEIMiMY2
NVaYAqoMo1PHtndg9XkkTAwdPVlYmZPKGZLzstDKt8sv/wi0sN4EG1zWRfmLfobbLPhQ/onQ
AlckQUKpXB7msY4Lss2ZCtHxgTeR+Z7JJQ8kkAlO19It3oHiIi+85Vd3I6fSk9drTRuI30E2
klMwZM9EfsfiXHcqegCPUINx9YhgwyOfGgk2OaIUAaQ7FHC6+lPONiAAjQnrm6gz+pw6OZZz
BF8Bh/0TvK+LLqQn+cKzUY6hF/76JFMweUHwxrZscWZMnGmkMYICKjCCAiYCAQEwOTAxMQsw
CQYDVQQGEwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERVQrojAJ
BgUrDgMCGgUAoIIBRzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP
Fw0wNzAxMjgxMzU4NTVaMCMGCSqGSIb3DQEJBDEWBBScrTr+H3CRCqgHbuI824F7JmqRczBI
BgkrBgEEAYI3EAQxOzA5MDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxFDASBgNVBAMT
C1REQyBPQ0VTIENBAgRFVCuiMEoGCyqGSIb3DQEJEAILMTugOTAxMQswCQYDVQQGEwJESzEM
MAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIERVQrojBSBgkqhkiG9w0BCQ8x
RTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC
BzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgE5KpOgwMG7idFtefx9wxIdmLhIl
m5tQ/s6/UiTzD7WRggtuhgivt8Wo6KTJ8m99Kn34uJb9vvok3PXdbxY4fmCU2KiKAkn3OSJz
qrfKLVAnHNUcG5RW4LbJdRdsv5R4rzev6f/cvyWK6TsPs5YAkpoJALeSbIp8p+DKvgPl2UMl
AAAAAAAA
--------------ms030505080105070707040407--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45BCAC1F.80701>