Hi!
I am setting up a bridging firewall on FreeBSD 6.2 that has,
among
others three interfaces: one for the internal LAN and two
demilitarized
zones sharing the same subnet.
Now I want to have a convenient way to refer to any machine
that is not
in one of the demilitarized zones. Here is my first shot:
# DMZ #1
DMZ1 = "192.168.1.3, 192.168.1.4"
table <dmz1_table> { $DMZ1 }
# DMZ #2
DMZ2 = "192.168.1.5, 192.168.1.6"
table <dmz2_table> { $DMZ2 }
# The internal lan
table <int_table> { 192.168.1.0/24,
!<dmz1_table>, !<dmz2_table> }
This fails because nested tables are not supported. Sort of
makes sense.
My next shot was
table <int_table> { 192.168.1.0/24, !$DMZ1, !$DMZ2 }
but this gives the wrong result because the "!"
operator is only applied
to the first element in "DMZ1".
Is there any way to populate <int_table> with all IP
addresses that are
/not/ in DMZ1 or DMZ2 without having to explictly repeat the
addresses
of the machines in each DMZ?
I would prefer not to have any redundant "points of
editing" in my pf.conf.
TIA
Tobias
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
