Re: Introducing NPF in NetBSD 6.0

To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: Introducing NPF in NetBSD 6.0
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Mon, 29 Oct 2012 01:00:31 +0100

On Fri, Oct 26, 2012, at 11:45 AM, Manuel Bouyer wrote:
...
> Right now I use ipf on a router, with groups made like that:
> A set of groups for each vlan, which just checks that source IP comes
> from the expected interface (anti-spoofing rules):
> 
> block in log level err quick from network_of_vlan_xxx/24 to any head 1xxx
> pass in on vlanxxx from any to any group 1xxx
> (repeat for each vlan)

You can use ippools to do this in one rule by defining a pool
that maps networks to groups and then doing a pool lookup in
the main rule.

So in ippool.conf you would have:
group-map in role = ipf number = 1000
            { vlan1001/24, group = 1001; vlan1002/25, group = 1002; };

and then in ipf.conf you would have:
call now fr_srcgrpmap/1010 in all

Cheers,
Darren

References:
- Re: Introducing NPF in NetBSD 6.0
  - From: Manuel Bouyer

Prev by Date: Re: Packet Filtering
Next by Date: Re: Packet Filtering
Previous by Thread: Re: Introducing NPF in NetBSD 6.0
Next by Thread: Re: Introducing NPF in NetBSD 6.0
Indexes:

Home | Main Index | Thread Index | Old Index