Date: Thu, 16 Sep 2004 03:46:05 -0000 From: Mo <mo@qubix.ca> To: pf4freebsd@freelists.org Subject: [pf4freebsd] Re: Whitelist IPs via pf 1.61 Message-ID: <20030816032446.GA3047@qubix.ca> In-Reply-To: <000901c363a5$02752090$01000001@max900> References: <3F3D9534.6080802@qubix.ca> <002201c363a3$5d01e450$01000001@max900> <000901c363a5$02752090$01000001@max900>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks very much for the assistance, I am just waiting for the guy to try it out. I e-mailed him and hopefully he will try it tomorrow morning and let me know. I really appreciate your enthusiasm and going above and beyond when answering my question. Thanks again On Saturday, 16 August 2003 at 5:18:05 +0200, Max Laier wrote: > Forgot to tell about the best part: > This gives you per-table-entry accounting, meaning that: > #pfctl -vt surfers -Tshow #note the -v flag > will give you detailed output about every entries activities, so you can > interfere if someone surfes too much. > > > This can be done in various ways, the most powerfull and yet easy way is > to > > use a table: > > > > >>> pf.conf <<< > > table <sufers> persist file "/etc/port80.allow" > > > > # block here > > > > pass out on $ext_if from <surfers> to any port 80 > > >>> pf.conf <<< > > > > This will read all the entries in /etc/port80.allow to the table as you > load > > the ruleset. You can add hosts or subnets temporaly by issueing: > > #pfctl -t surfers -Tadd 65.192.5.1 or > > #pfctl -t surfers -Tadd 66.192.5.0/24 > > You can even add negated entries, if you want to allow a whole subnet, but > > one or two hosts: > > #pfctl -t surfers -Tadd 65.192.6.0/24 > > #pfctl -t surfers -Tadd !65.192.6.13 > > will allow all hosts from 65.192.6.0/24 but disallow 65.192.6.13 > > The contens of the table can be viewed by: > > #pfctl -t surfers -Tshow > > > > More information at: > > pfctl(8) > > > http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&manpath=OpenBSD+3.3 > > pf.conf(5) > > > http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+3.3 > > And the pf-faq: > > http://www.openbsd.org/faq/pf/tables.html > > > > > Hello. This is my first time posting to this mailing list, but it looks > > > like I would probably get some good ideas/answers here. Anyway, I have > > > a specific subnet (65.192.x.x) blocked from accessing port 80, but I > > > want to "whitelist" (if that is the proper term) and have it be able to > > > access port 80. So basically, I want the whole subnet blocked still, > > > except if I can whitelist one IP to allow traffic to/from port 80 from > > > it. Is this possible? I'm running pf 1.61 and FreeBSD 5.1-CURRENT > > > (last rebuilt world on Aug. 15, 2003). > > > > > > Thanks > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030816032446.GA3047>