Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Sep 2004 03:45:40 -0000
From:      "Max Laier" <max@love2party.net>
To:        <pf4freebsd@freelists.org>
Subject:   [pf4freebsd] Re: Whitelist IPs via pf 1.61
Message-ID:  <000901c363a5$02752090$01000001@max900>
References:  <3F3D9534.6080802@qubix.ca> <002201c363a3$5d01e450$01000001@max900>
next in thread | previous in thread | raw e-mail | index | archive | help 
Forgot to tell about the best part:
This gives you per-table-entry accounting, meaning that:
#pfctl -vt surfers -Tshow    #note the -v flag
will give you detailed output about every entries activities, so you can
interfere if someone surfes too much.

> This can be done in various ways, the most powerfull and yet easy way is
to
> use a table:
>
> >>> pf.conf <<<
> table <sufers> persist file "/etc/port80.allow"
>
> # block here
>
> pass out on $ext_if from <surfers> to any port 80
> >>> pf.conf <<<
>
> This will read all the entries in /etc/port80.allow to the table as you
load
> the ruleset. You can add hosts or subnets temporaly by issueing:
> #pfctl -t surfers -Tadd 65.192.5.1        or
> #pfctl -t surfers -Tadd 66.192.5.0/24
> You can even add negated entries, if you want to allow a whole subnet, but
> one or two hosts:
> #pfctl -t surfers -Tadd 65.192.6.0/24
> #pfctl -t surfers -Tadd !65.192.6.13
> will allow all hosts from 65.192.6.0/24 but disallow 65.192.6.13
> The contens of the table can be viewed by:
> #pfctl -t surfers -Tshow
>
> More information at:
> pfctl(8)
>
http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&manpath=OpenBSD+3.3
> pf.conf(5)
>
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+3.3
> And the pf-faq:
> http://www.openbsd.org/faq/pf/tables.html
>
> > Hello.  This is my first time posting to this mailing list, but it looks
> > like I would probably get some good ideas/answers here.  Anyway, I have
> > a specific subnet (65.192.x.x) blocked from accessing port 80, but I
> > want to "whitelist" (if that is the proper term) and have it be able to
> > access port 80.  So basically, I want the whole subnet blocked still,
> > except if I can whitelist one IP to allow traffic to/from port 80 from
> > it.  Is this possible?  I'm running pf 1.61 and FreeBSD 5.1-CURRENT
> > (last rebuilt world on Aug. 15, 2003).
> >
> > Thanks

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000901c363a5$02752090$01000001>