On Sat, 12 Feb 2005 23:31:45 +0800, sam <sam.wun@authtec.com> wrote:

>Greg Hennessy wrote:
>
>> ~ # grep -i 3128 /etc/pf.conf
>> rdr pass on $Int proto tcp from $LAN to !$<InsideNets> port www ->\
>> 127.0.0.1 port 3128
>Hi thanks very much for the help.
>I m not quite expert in PF syntax.

That will change :-), the syntax improvements over IPF make for shorter and
easier to maintain policies IMHO.

When I migrated over from IPF on Solaris, I was able reduce the number of
lines in the policy I was using by around half.

>What does !$<InsideNets> represent?
><InsideNets> is a table that contains a list of internal subnets, and
>!$<...> means "not belong to the Internal Subnets?


Sorry, typo on my part, it should be

rdr pass on $Int proto tcp from $LAN to !<InsideNets> port www ->\
127.0.0.1 port 3128

There is no dollar before the table delimiter, it's not a macro expansion.

And you are correct, '!' indicates the set of addresses 'not' contained in
the table <InsideNets>.

>> rdr pass on $Int proto tcp from $LAN to $Int:0 port 3128 ->\
>> 127.0.0.1 port 3128
>>
>> The 1st rdr pass does the http interception.
>> The 2nd rdr pass allows the proxy to be utilised inline if necessary.
>>
>>
>> & this
>>
>> ~ # grep -i squid /etc/pf.conf
>> pass out quick on $Ext $TCP to !<InsideNets> user squid $KSF\
>> queue (q_def, q_pri)
>Simliary, what does !<...> represent?

Same as above, allow out tcp traffic from the process(es) owned by the UID
squid to any destination address which is 'not' in the table <InsideNets>


> and how about $KSF?

You'll find the pfctl macro expansion capability to be very useful.

Here are some of the ones I use

UDP="inet proto udp"
TCP="inet proto tcp"
KSF="keep state flags S/SA"
KS="keep state"



greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone