Date: Sun, 28 Jan 2007 14:58:55 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: FreeBSD Questions <questions@freebsd.org> Subject: Negation in tables for packet filter Message-ID: <45BCAC1F.80701@locolomo.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi:
I want to create two tables in my packet filter, the first should match
any valid public ip, so I created a table negating anything reserved:
table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
!192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
So with the above I should be able to correctly NAT anything going to
the internet and the rest should not be NAT'ed - either it is locally
routable or should be blocked.
nat on $dsn_if from { <super> <users> <free> } \
to <internet> -> ($dsn_if)
This doesn't work as expected, instead I have to remove all negations in
the table and create a non-internet table and negate that in the nat
rule. Shouldn't they work equivalently? (I also want to use the
<internet> table in my filter rules, so I like to define a table).
The second should match unknown local hosts, I have three tables with
different registered hosts with different access levels, I want to
redirect unknown hosts to a page explaining what to do to get registered,
rdr on $wlan_if proto tcp from { $wlan_net !<super> !<users> !<free> } \
to <internet> port http -> 127.0.0.1 port 8000
This doesn't work either, the table is expanded to four rdr rules, and
they are applied before the nat - even if I place it after in the
ruleset, so I can't just remove the !<table> and have the rdr catch up
all that is not nat'ed in the previous nat-rule.
So, how do I create my nat rules so they work as expected - or that is,
that work as I want?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��
0p0XET+0
*H
�011
0 UDK1
0
U
TDC10U
TDC OCES CA0
061115083154Z
081115090154Z0u1
0 UDK1)0'U
Ingen organisatorisk tilknytning1;0U
Erik Nrgaard0#U
PID:9802-2002-2-54436976931500
*H
��0�WR&5ʄ8 #S^fOパBrIsPBc! >r&8hl3?\.UGB\E
3Q!1MrwP*02\|\&s{b'`1&1�00U
0+U
$0"20061115083154Z20081115090154Z07U
.0*0&
*P)00/+#http://www.certifikat.dk/repository0+00
TDC0For anvendelse af certifikatet glder OCES vilkr, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bemrk, at TDC efter vilkrene har et begrnset ansvar ift. professionelle parter.0A+50301+0%http://ocsp.certifikat.dk/ocsp/status0 U
0norgaard@locolomo.org0U
}0{0KIGE0C1
0 UDK1
0
U
TDC10U
TDC OCES CA10UCRL15570,*(&http://crl.oces.certifikat.dk/oces.crl0 U
#0`Vd~'g
PKs;0
U
~kG
'f+Q{m&0 U
0�0 *H}A�
0
V7.10
*H
��OJ'|)%Ҋi`1
^nE
jJwKӼB
65V
SǶw`y$L
=YXʷ/\E~,PW$AB\
汎
͙
7%$ N-ށ"/Ww#ғkMA6S0dD~\w*z�Pq`# 69;pS6 � 뛨3:9s_.'³Q$S0yAƶlqfLi0p0XET+0
*H
�011
0 UDK1
0
U
TDC10U
TDC OCES CA0
061115083154Z
081115090154Z0u1
0 UDK1)0'U
Ingen organisatorisk tilknytning1;0U
Erik Nrgaard0#U
PID:9802-2002-2-54436976931500
*H
��0�WR&5ʄ8 #S^fOパBrIsPBc! >r&8hl3?\.UGB\E
3Q!1MrwP*02\|\&s{b'`1&1�00U
0+U
$0"20061115083154Z20081115090154Z07U
.0*0&
*P)00/+#http://www.certifikat.dk/repository0+00
TDC0For anvendelse af certifikatet glder OCES vilkr, CPS og OCES CP, der kan hentes fra www.certifikat.dk/repository. Bemrk, at TDC efter vilkrene har et begrnset ansvar ift. professionelle parter.0A+50301+0%http://ocsp.certifikat.dk/ocsp/status0 U
0norgaard@locolomo.org0U
}0{0KIGE0C1
0 UDK1
0
U
TDC10U
TDC OCES CA10UCRL15570,*(&http://crl.oces.certifikat.dk/oces.crl0 U
#0`Vd~'g
PKs;0
U
~kG
'f+Q{m&0 U
0�0 *H}A�
0
V7.10
*H
��OJ'|)%Ҋi`1
^nE
jJwKӼB
65V
SǶw`y$L
=YXʷ/\E~,PW$AB\
汎
͙
7%$ N-ށ"/Ww#ғkMA6S0dD~\w*z�Pq`# 69;pS6 � 뛨3:9s_.'³Q$S0yAƶlqfLi1*0&09011
0 UDK1
0
U
TDC10U
TDC OCES CAET+0 +�G0 *H
1
*H
0
*H
1
070128135855Z0# *H
1: p
n<ہ{&js0H +71;09011
0 UDK1
0
U
TDC10U
TDC OCES CAET+0J
*H
1;9011
0 UDK1
0
U
TDC10U
TDC OCES CAET+0R *H
1E0C0
*H
0*H
�0
*H
@0+0
*H
(0
*H
�NJ00nt[^ pćf.%PοR$
nŨo}*}$o8~`بI9"s-P'
Vulx7ܿ%;� �l|ʾC%������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45BCAC1F.80701>