pf.conf - multiple class Cs

pf.conf - multiple class Cs

Post by Brad Fea » Tue, 15 Oct 2002 23:55:16



Is there an easy way to create a range of consecutive class C ip
subnets within pf.conf?  For instance, we have 95 consecutive class C
subnets that need access to a server via the pf.conf firewall.  I'm
hoping there is a better way to do this syntactically than to use:

class_Cs = "{192.168.30.0/16, 192.168.31.0/16, 192.168.32.0/16, etc,
etc...}"

Since we don't want anything lower than 192.168.30.0/16 to have
access, and we don't want anything above 192.168.125.0/16 to have
access, we can't use a "/24".

I think Cisco uses a simple "192.168.30-125" type of syntax, but I
can't find any reference to pf.conf using a similar syntax, and
everything I've tried generates syntax errors.

Any ideas are appreciated.  TIA.

Brad Fears

 
 
 

pf.conf - multiple class Cs

Post by jp » Wed, 16 Oct 2002 01:08:50



Quote:> Is there an easy way to create a range of consecutive class C ip
> subnets within pf.conf?  For instance, we have 95 consecutive class C
> subnets that need access to a server via the pf.conf firewall.  I'm
> hoping there is a better way to do this syntactically than to use:

> class_Cs = "{192.168.30.0/16, 192.168.31.0/16, 192.168.32.0/16, etc,
> etc...}"

What used to be a class C is now a /24. A /16 used to be called class B.
Count the bits.

Quote:> Since we don't want anything lower than 192.168.30.0/16 to have
> access, and we don't want anything above 192.168.125.0/16 to have
> access, we can't use a "/24".

I think you're in for a nice re-counting of your bits, because this
doesn't make any sense at all.

Quote:> I think Cisco uses a simple "192.168.30-125" type of syntax, but I
> can't find any reference to pf.conf using a similar syntax, and
> everything I've tried generates syntax errors.

From a quick glance, I don't see it supported either, but that doesn't
mean it isn't there. As a workaround, you could do something like
myaddrs = "{192.168.30.0/23, 192.168.32.0/19, [...], 192.168.124.0/23 }".

If you think counting bits cumbersome, use a small (shell) script to
generate your pf.conf for you, so you don't have to cut'n'paste 95 /24
blocks by hand. But be sure you understand CIDR right before you continue.

This is a another reason one ought to be careful how to setup one's ip
numbering scheme, but you _could_ ofcourse throw a cisco at the problem.

--
  j p d (at) d s b (dot) t u d e l f t (dot) n l .

 
 
 

pf.conf - multiple class Cs

Post by tedu » Wed, 16 Oct 2002 01:03:12



Quote:> class_Cs = "{192.168.30.0/16, 192.168.31.0/16, 192.168.32.0/16, etc,
> etc...}"

> Since we don't want anything lower than 192.168.30.0/16 to have
> access, and we don't want anything above 192.168.125.0/16 to have
> access, we can't use a "/24".

you share more bits than 16, but less than 24.  /20 or so will be better.
ports/net/cidr or any netmask calculator on the web will help.

--
Mediocrity is a sin.

 
 
 

pf.conf - multiple class Cs

Post by John Sloa » Wed, 16 Oct 2002 02:05:56



Quote:> Is there an easy way to create a range of consecutive class C ip
> subnets within pf.conf?  For instance, we have 95 consecutive class
C
> subnets that need access to a server via the pf.conf firewall.  I'm
> hoping there is a better way to do this syntactically than to use:

> class_Cs = "{192.168.30.0/16, 192.168.31.0/16, 192.168.32.0/16, etc,
> etc...}"

> Since we don't want anything lower than 192.168.30.0/16 to have
> access, and we don't want anything above 192.168.125.0/16 to have
> access, we can't use a "/24".

> I think Cisco uses a simple "192.168.30-125" type of syntax, but I
> can't find any reference to pf.conf using a similar syntax, and
> everything I've tried generates syntax errors.

> Any ideas are appreciated.  TIA.

> Brad Fears

Your "95 class Cs" can be written as follows:

class_Cs = "{192.168.30.0/23, 192.168.32.0/19, 192.168.64.0/19,
192.168.96.0/20, 192.168.112.0/21, 192.168.120.0/22,
192.168.124.0/23}"

Look up CIDR for more information.

JS

 
 
 

pf.conf - multiple class Cs

Post by Brad Fea » Wed, 16 Oct 2002 03:55:54


Err...I posted too fast without thinking.  My /16's should be /24's,
and vice-versa.

> Is there an easy way to create a range of consecutive class C ip
> subnets within pf.conf?  For instance, we have 95 consecutive class C
> subnets that need access to a server via the pf.conf firewall.  I'm
> hoping there is a better way to do this syntactically than to use:

> class_Cs = "{192.168.30.0/16, 192.168.31.0/16, 192.168.32.0/16, etc,
> etc...}"

> Since we don't want anything lower than 192.168.30.0/16 to have
> access, and we don't want anything above 192.168.125.0/16 to have
> access, we can't use a "/24".

> I think Cisco uses a simple "192.168.30-125" type of syntax, but I
> can't find any reference to pf.conf using a similar syntax, and
> everything I've tried generates syntax errors.

> Any ideas are appreciated.  TIA.

> Brad Fears

 
 
 

pf.conf - multiple class Cs

Post by Matthew Poo » Wed, 16 Oct 2002 04:35:21



>Err...I posted too fast without thinking.  My /16's should be /24's,
>and vice-versa.



>> Is there an easy way to create a range of consecutive class C ip
>> subnets within pf.conf?  For instance, we have 95 consecutive class C
>> subnets that need access to a server via the pf.conf firewall.  I'm
>> hoping there is a better way to do this syntactically than to use:

>> class_Cs = "{192.168.30.0/16, 192.168.31.0/16, 192.168.32.0/16, etc,
>> etc...}"

>> Since we don't want anything lower than 192.168.30.0/16 to have
>> access, and we don't want anything above 192.168.125.0/16 to have
>> access, we can't use a "/24".

>> I think Cisco uses a simple "192.168.30-125" type of syntax, but I
>> can't find any reference to pf.conf using a similar syntax, and
>> everything I've tried generates syntax errors.

>> Any ideas are appreciated.  TIA.

>> Brad Fears

So summarise stuff into blocks up to /19 size.
Start with a /23 at 30, which takes you to 31.  Two /19s at 32 and 64
take you up to 95.  A /20 at 96 takes you to 111.  A /21 at 112 takes
you to 119.  A /22 at 120 takes you to 123, and a /23 at 124 finishes
things off to 125.255.

--
Matthew Poole               Auckland, New Zealand
"Veni, vidi, velcro...
                     I came, I saw, I stuck around"

My real e-mail is mattATp00leDOTnet

 
 
 

1. Managing Multiple class Cs

Hi all,

I'm currently administering the Internet gateway at our company.  I'm
running a Linux box with quite an old kernel, but I'm intending to upgrade
to the latest Slackware release shortly.  My problem is the lan that we have
is essentially one piece of Ethernet cabling with repeaters all over the
place.  Everyone in the company is connected to the same piece of wire.

I have allocated almost all the addresses in my first class C address, and
have just received an 'aggregate' (xxx.xxx.xxx/22) class C address from my
Internet provider (this is apparently equivalent to 4 class C addresses).

The question I have is ... do I have to get another machine to gate the
new addresses into my current network, or can I just add another ethx
device to my ifconfig and use my current Linux box to do all the gatewaying?
Or.. can I just stay with the one ethernet card and have the Linux box
perform some magic to route all the traffic from all the addresses?

Any and all advice (posted or E-mail) gratefully accepted.

TIA

Neil

.sig?......I don't need no steenking .sig!

2. Unterminal driver info

3. configuring same device for multiple IPs in different class Cs

4. X Konfiguration

5. Routing/bridging between two class Cs

6. PCI vs. VLB

7. Fax modems -- class 1, class 2, class 2.0 -- whats going on?

8. Please Helpppppppppppppppp.

9. pf.conf

10. Apply changes to pf.conf file without rebooting

11. OpenBSD pf.conf and Scheduler

12. "no route to host" but pf.conf seems to be correct :-(

13. pf.conf issues, need fresh eyes