Date: Thu, 24 Aug 2006 18:51:07 +0200 From: Michal Mertl <mime@traveller.cz> To: beno <zope@2012.vi> Cc: freebsd-pf@freebsd.org Subject: Re: Last Two Questions (I Think...) Message-ID: <1156438267.1107.46.camel@genius.i.cz> In-Reply-To: <44EDB200.5020006@2012.vi> References: <44EDB200.5020006@2012.vi>
next in thread | previous in thread | raw e-mail | index | archive | help
beno wrote:
> Thank you very much for all your help!
>
> Here is the first problem. It's a continuation of a problem we "fixed"
> earlier (nor did I change anything after we got it working the first time):
>
> shinjiru_ip_addresses="202.71.102.114 202.71.100.126 202.71.106.30
> 202.71.106.118 202.71.106.188 203.142.1.8"
> directv_ip_addresses="{ 69.19.0.0/17 }"
> shadday_ip_addresses="{ 200.88.64/23 200.88.66/23 200.88.80/20
> 200.88.96/20 200.88.112/22 200.88.118/23 200.88.120/21 }"
> ssh_ip_addresses= $shinjiru_ip_addresses $directv_ip_addresses
> $shadday_ip_addresses
You are again combining lists and that is not supported, but you also
have really found a problem/bug. It seems you can't combine strings
containing "/" (a="big fat", b="dog", c=$a $b works but when you have
"/" in the strings (as in network definitions) it does not). My
conclusion is that you cannot nest even the macros with networks.
Did you think about using tables? You wouldn't be able to fill them in
steps from pf.conf either but they are easier to manage than lists.
> The parser won't parse the last line. It won't let me include either of
> the last two macros. This happened before I added the addresses to the
> latter (shadday) but is compounded by the same.
>
> The second problem has to do with logs. For example, this works:
>
> pass in quick inet proto tcp from any to $web_server port { $tcp_ports }
> flags S/SA keep state \
> (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
> flush global)
>
>
> but this does not work:
>
> pass in quick log (all) inet proto tcp from any to $web_server port {
> $tcp_ports } flags S/SA keep state \
> (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce>
> flush global)
log (all) -> log-all
> How do I turn on logging? Also, can someone give me good pointers as to
> what I should log? Being inexperienced, I'm apt to log everything in site :/
>
> TIA,
> beno
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1156438267.1107.46.camel>