First off, I'm adding a rule to pf for bogon filtering, and came across something I wanted to get a bit of clarification on.
I have a monthly cron set to fetch this and save it as bogon.conf in /etc, I have a pf rule
in place for that, and then the blocking rule
Thus far that works fine, but when I was checking the documentation for the syntax to use a file list in a table, I ran across this:
So my question there is do I need a macro to block those addresses on the external interface? Something like:
with the respective blocking rules, or not? Also $ext_if is a dhcp interface, and if I recall dhcp lease communications initially originate with a IP of 0.0.0.0, so I would have to open up a hole for dhcp communications correct?
That was the first question, the second is easier. I read somewhere a while back, and cannot find it again, but I recall something about using ($ext_if) in rules with a dhcp external interface, that way rules always refer to the correct interface/IPs, in case the lease info (IP) changes. Is there any truth to that?
Thanks, hope that was clear.
I have a monthly cron set to fetch this and save it as bogon.conf in /etc, I have a pf rule
Code:
table <bogon> const file "/etc/bogon.conf"
Code:
block in quick on $ext_if from <bogon> to any
Thus far that works fine, but when I was checking the documentation for the syntax to use a file list in a table, I ran across this:
http://www.openbsd.org/faq/pf/tables.html said:Specifying Addresses
<snip>
One limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not work in tables. The alternative is to hard code that address or use a macro.
So my question there is do I need a macro to block those addresses on the external interface? Something like:
Code:
nil = "{ 0.0.0.0/8 }"
with the respective blocking rules, or not? Also $ext_if is a dhcp interface, and if I recall dhcp lease communications initially originate with a IP of 0.0.0.0, so I would have to open up a hole for dhcp communications correct?
That was the first question, the second is easier. I read somewhere a while back, and cannot find it again, but I recall something about using ($ext_if) in rules with a dhcp external interface, that way rules always refer to the correct interface/IPs, in case the lease info (IP) changes. Is there any truth to that?
Thanks, hope that was clear.