-------- Original Message --------
Subject: Re: double NOT in rules is not working as expected
Date: Fri, 08 Apr 2011 17:00:52 +0300
From: Bojidara Marinchovska <quintesse...@bobi.gateit.net>
To: Stuart Henderson <s...@spacehopper.org>
On 04/08/11 16:11, Stuart Henderson wrote:
On 2011/04/08 15:42, Bojidara Marinchovska wrote:
It is not wrong but I cannot find it is possible to use negation with
AND ( something like block in quick from !{$a, $b, $c} ) and yes as
it is typed it will be produce exactly this ruleset you wrote.
So if rules in conf are defined as separated as ( not interpreted as
subrules )
block in quick on $netif from !$test1 to x.x.x.x
block in quick on $netif from !$test2 to x.x.x.x
let's fill in the macros because they really don't help.
block in quick on netif from !1.2.3.4 to x.x.x.x
block in quick on netif from !2.3.4.5 to x.x.x.x
why 1.2.3.4 it is blocked by the second rule. shouldn't be passed
from the first rule ? ( rules are read from top to bottom )
the first rule doesn't pass anything, it only blocks: it blocks
everything except for 1.2.3.4
so the only traffic which reaches the second rule is that from 1.2.3.4
the second rule doesn't pass anything, it only blocks: it blocks
everything except for 2.3.4.5
so the second rule is irrelevant because packets from 2.3.4.5 get
blocked at the first rule.
So the correct question is how to accomplish
pass in quick on $netif from {$test1, $test2} to x.x.x.x
block in quick on $netif from any to x.x.x.x
with only 1 rule ?
why do you want only 1 rule? isn't it clearer to use the two rules?
you might be able to do what you want with tables though, see the faq
about negation.
Hello,
Thank you, yes my mistake about block , whole day looking at the 2 rules
...
As Claudio already wrote
"
The {foo, bar} notation results in a OR operation so
foo || bar. Now !foo || !bar with foo != bar is always true.
"
As I can define with 1 rule for example
from {<tableA>,<tableB> }
I want to be able to use also
from ! {<tableA>,<tableB>}
Yes, it is clear ...
Yes, I wrote about negation in tables, there is enough examples of its
usage in the Book Of PF, but it is not what I need ( following KISS )
Anyway thank you all
I try to accomplish something which is correct to be done with no
firewall but with other software and I try to use as simple as possible
rules
I have 2 types of lists with IPs which I put in tables (because these
IPs changes often and I don't want to reload rules, it is easy to add
just the new IP address)
table<lista> persist file "/somefile"
table<listb> persist file "/someotherfile"
IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C,
D.D.D.D and E.E.E.E for example ( protocol, port )
IPs from list B have to be able to access for example only D.D.D.D and
E.E.E.E
# block access to A.A.A.A - C.C.C.C for all except listA
block in quick on $if inet proto protocol from !<lista> to A.A.A.A...
port ...
# here I wanted to be able to use something like to allow listA and
listB to access D.D.D.D and E.E.E.E
block in quick on $if inet proto protocol from ! {<lista>,<listb> } to
D.D.D.D,... port ...
instead of using:
pass in quick on $if inet proto protocol from {<lista>,<listb> } to
D.D.D.D ... port ...
block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
