On 2011/04/08 15:42, Bojidara Marinchovska wrote:
> It is not wrong but I cannot find it is possible to use negation with
> AND ( something like block in quick from !{$a, $b, $c} ) and yes as
> it is typed it will be produce exactly this ruleset you wrote.
>
> So if rules in conf are defined as separated as ( not interpreted as
> subrules )
>
> block in quick on $netif from !$test1 to x.x.x.x
> block in quick on $netif from !$test2 to x.x.x.x
let's fill in the macros because they really don't help.
block in quick on netif from !1.2.3.4 to x.x.x.x
block in quick on netif from !2.3.4.5 to x.x.x.x
> why 1.2.3.4 it is blocked by the second rule. shouldn't be passed
> from the first rule ? ( rules are read from top to bottom )
the first rule doesn't pass anything, it only blocks: it blocks
everything except for 1.2.3.4
so the only traffic which reaches the second rule is that from 1.2.3.4
the second rule doesn't pass anything, it only blocks: it blocks
everything except for 2.3.4.5
so the second rule is irrelevant because packets from 2.3.4.5 get
blocked at the first rule.
> So the correct question is how to accomplish
>
> pass in quick on $netif from {$test1, $test2} to x.x.x.x
> block in quick on $netif from any to x.x.x.x
>
> with only 1 rule ?
why do you want only 1 rule? isn't it clearer to use the two rules?
you might be able to do what you want with tables though, see the faq
about negation.
