tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Introducing NPF in NetBSD 6.0

On Fri, Oct 26, 2012, at 11:45 AM, Manuel Bouyer wrote:
> Right now I use ipf on a router, with groups made like that:
> A set of groups for each vlan, which just checks that source IP comes
> from the expected interface (anti-spoofing rules):
> block in log level err quick from network_of_vlan_xxx/24 to any head 1xxx
> pass in on vlanxxx from any to any group 1xxx
> (repeat for each vlan)

You can use ippools to do this in one rule by defining a pool
that maps networks to groups and then doing a pool lookup in
the main rule.

So in ippool.conf you would have:
group-map in role = ipf number = 1000
            { vlan1001/24, group = 1001; vlan1002/25, group = 1002; };

and then in ipf.conf you would have:
call now fr_srcgrpmap/1010 in all


Home | Main Index | Thread Index | Old Index