> i am structuring my first firewall server. I am having hard
times with
> the following building a tables that holds every IPv4 address but
> excludes a given range.
>
> My initial idea was:
>
> table <xxx> { 0/0 !x.b.c/24 }
>
>
> But it is not acceptable.
>
> How would you handle that?
By default, any rule will match 0/0 by just using the "any" or "all"
keywords. Think about it.
So, may i get your words for:
table <xxx> { any !x.b.c/24 }
No. Step back and think about this for a second. By default, any
filter rule will match *everything*. Example:
block in on $ext_if from any to any
(or)
block in on $ext_if all
Stop trying to shoehorn the entire internet into a table. You don't
need to. Use negation to block the bad stuff. Example:
table bad_hosts { 1.2.3.4 }
pass in on $ext_if from ! <bad_hosts> to $webserver port 80
Translated, this is the same as saying "pass in on my external
interface, any host *except* 1.2.3.4 to my webserver's port 80."
HTH.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
