PF Confused whitelist location?

K

kalleboy

Hi.

I'm confused a bit about where to put my whitelist table (containing IPs that shouldn't get blocked). My current configuration does not whitelist my <whitelist> table. This is the trimmed pf.conf file of mine;

Bash: 
ext_if="re0"

table <whitelist> persist file "/var/pf/whitelist.txt"
table <pfbadhost> persist file "/var/pf/bad.txt"

# enable logging on vio0  interface
set loginterface $ext_if

# allow all on Loopback interface
set skip on lo

match in all scrub (no-df random-id)

antispoof quick for $ext_if

block drop in quick on $ext_if from <pfbadhost>
block return in log all

# Whitelist
pass quick from <whitelist> to any flags any keep state

pass quick inet proto icmp icmp-type $icmp_types max-pkt-rate 100/10
pass quick inet6 proto ipv6-icmp icmp6-type $icmp6_types max-pkt-rate 100/10

pass out quick on $ext_if

So, where exactly should whitelist table be located?

Thanks.
 
I mean, the location of this line;

Bash: 
pass quick from <whitelist> to any flags any keep state

in pf.conf file.
 
VladiBG said:
It's ok where it is at the moment unless you have whitelisted ip in your pfbadhost table.
Click to expand...

It doesn't really work with that way. However, whenever I move line;

pass quick from <whitelist> BEFORE these two lines;

Code: 
block drop in quick on $ext_if from <pfbadhost>
block return in log all

just after "antispoof quick for $ext_if", it works.

Is that the normal behaviour, or am I doing a configuration error?
 
If you have the same IP address/subnet in both tables "pfbadhost" and "whitelist" the block take precedence as it's above the allow rule.
 
You must log in or register to reply here.
Back
Top