On 2020-05-04 19:23, Stuart Henderson wrote:
On 2020-05-04, Marko Cupać <marko.cu...@mimar.rs> wrote:
Hi,
I'd like to create pf table "all publicly routable ipv4 addresses". Is
this possible with some short syntax?
Thank you in advance.
something like this?
# https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
table <routable> {
!0.0.0.0/8
!10.0.0.0/8
!100.64.0.0/10
!127.0.0.0/8
!169.254.0.0/16
!172.16.0.0/12
!192.0.0.0/24
!192.0.2.0/24
!192.168.0.0/16
!198.18.0.0/15
!198.51.100.0/24
!203.0.113.0/24
!224.0.0.0/3
}
Yes. I want to have the opposite of <martians> table described in pf
faq:
https://www.openbsd.org/faq/pf/example1.html#pf
...so I can permit hosts on guest vlan access Internet hosts, but not
hosts on other private vlans similar to:
block log all
pass in on $guest_vlan from $guest_vlan:network to <routable>
However, this apparently doesn't work. If I tested well, your <routable>
table expands to "no addresses", not "all addresses but those".
I thought I could do such table like this:
table <routable> { 0.0.0.0/0 \
!0.0.0.0/8 \
...
!224.0.0.0/3 }
...but https://www.openbsd.org/faq/pf/tables.html#addr states that "One
limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not
work in tables".
I know I can solve this by reordering rules, and using block instead of
pass, but I'd really like to have a table of all publicly routable ip
addresses in pf.
Regards,
--
Before enlightenment - chop wood, draw water.
After enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
