From owner-freebsd-pf@FreeBSD.ORG Thu Apr 14 00:02:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2040D16A4CE for ; Thu, 14 Apr 2005 00:02:25 +0000 (GMT) Received: from zixvpm01.seton.org (zixvpm01.seton.org [207.193.126.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72A6A43D7D for ; Thu, 14 Apr 2005 00:02:24 +0000 (GMT) (envelope-from mgrooms@seton.org) Received: from zixvpm01.seton.org (ZixVPM [127.0.0.1]) by Outbound.seton.org (Proprietary) with ESMTP id 3B36C3600C1 for ; Wed, 13 Apr 2005 19:01:59 -0500 (CDT) Received: from smtp-out.seton.org (unknown [10.21.254.249]) by zixvpm01.seton.org (Proprietary) with ESMTP id 07A81330059 for ; Wed, 13 Apr 2005 19:01:59 -0500 (CDT) Received: from localhost (unknown [127.0.0.1]) by smtp-out.seton.org (Postfix) with ESMTP id ECECB8014E24 for ; Wed, 13 Apr 2005 19:01:58 -0500 (CDT) Received: from smtp-out.seton.org ([10.21.254.249]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 23777-41 for ; Wed, 13 Apr 2005 19:01:58 -0500 (CDT) Received: from ausexfe02.seton.org (ausexfe02.seton.org [10.20.10.185]) by smtp-out.seton.org (Postfix) with ESMTP id DB0A48014E23 for ; Wed, 13 Apr 2005 19:01:58 -0500 (CDT) Received: from [10.20.160.190] ([10.20.160.190]) by ausexfe02.seton.org with Microsoft SMTPSVC(6.0.3790.211); Wed, 13 Apr 2005 19:02:04 -0500 Message-ID: <425DB3F8.1070101@seton.org> Date: Wed, 13 Apr 2005 19:06:16 -0500 From: Matthew Grooms Organization: Seton Healthcare Network User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 14 Apr 2005 00:02:04.0046 (UTC) FILETIME=[309EAAE0:01C54085] X-Virus-Scanned: by amavisd-new at seton.org Subject: pf rule macro help ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Apr 2005 00:02:25 -0000 Hello all, I am migrating a largish ruleset from checkpoint to freebsd/pf and am having a problem trying to write some nested macros. The example from the pf website that nests macros seems to work fine ... host1 = "192.168.1.1" host2 = "192.168.1.2" all_hosts = "{" $host1 $host2 "}" ... but if I try to nest two macros that define networks ... net1 = "192.168.1.0/24" net2 = "192.168.2.0/24" all_nets = "{" $net1 "," $net2 "}" ... I always get a syntax error on the "all_nets =" line. What am I doing wrong here? ----- warning, wishful thinking below ----- Also, are there any plans to support nested tables or is there some technical argument against it. Life would be so much easier when trying to organize large groups of networks and hosts. ie ... # Office one networks table { 10.1.1.0/24, 10.2.1.0/24, etc ... } # Office two networks table { 10.3.1.0/24, 10.4.1.0/24, etc ... } # all internal networks table { , } # anti spoof block drop in log quick on $ext_if from to any Writing a small rule set is simple in pf.conf but trying to write a larger script that is easy to read and self documented is kind of difficult. You have to write all comments before or after a multi-line table or macro because of the esc char. ie ... # mail servers 1 - 2 # web servers 1 - 4 # ftp servers 1 - 4 etc ... table { \ 10.1.1.1, 10.1.1.2, \ 10.1.1.3, 10.1.1.4, 10.1.1.5, 10.1.1.6, \ 10.1.1.7, 10.1.1.8, 10.1.1.9, 10.1.1.10, \ etc ... } I know you can use dns names and have pf resolve them at load time which does make things a bit easier to read. But then you have to worry about loosing connectivity with your dns server when you need to reload rules. IMHO, it would have been better if pfctl acted more like a c parser where you have a terminating char so that inline comments could be used and escapes would be unnecessary. ie ... table { 10.1.1.1, # mail1.blah.org 10.1.1.2, # mail2.blah.org 10.1.1.3, # web1.blah.org 10.1.1.4, # web2.blah.org 10.1.1.5, # web3.blah.org 10.1.1.6, # web4.blah.org 10.1.1.7, # ftp1.blah.org 10.1.1.8, # ftp2.blah.org 10.1.1.9, # ftp3.blah.org 10.1.1.10, # ftp4.blah.org etc ... }; # make sure I can manage my dmz hosts pass quick proto tcp from $admin to port ssh; -Matthew