I really think this violates your intended "KISS" principle, and you would be a lot better off by simply making a file that contains /somefile and /someotherfile, and load all that into one a 3rd table to be used when you want both, eg.
table <listab> persist file "/someotherotherfile" block in quick on $if from ! <listab> to D.D.D.D... However, another way to get the effect you want is: pass in on $if from <lista> tag LISTAB pass in on $if from <listb> tag LISTAB block in quick on $if net from any to D.D.D.D ! tagged LISTAB (you can use 'match' instead of 'pass' for the first 2 rules if you're using a recent enough version of PF) -Ryan On Fri, Apr 08, 2011 at 06:39:47PM +0300, Bojidara Marinchovska wrote: > Yes, I wrote about negation in tables, there is enough examples of its > usage in the Book Of PF, but it is not what I need ( following KISS ) > > Anyway thank you all > I try to accomplish something which is correct to be done with no > firewall but with other software and I try to use as simple as possible > rules > > I have 2 types of lists with IPs which I put in tables (because these > IPs changes often and I don't want to reload rules, it is easy to add > just the new IP address) > > table<lista> persist file "/somefile" > table<listb> persist file "/someotherfile" > > IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C, > D.D.D.D and E.E.E.E for example ( protocol, port ) > IPs from list B have to be able to access for example only D.D.D.D and > E.E.E.E > > # block access to A.A.A.A - C.C.C.C for all except listA > block in quick on $if inet proto protocol from !<lista> to A.A.A.A... > port ... > > # here I wanted to be able to use something like to allow listA and > listB to access D.D.D.D and E.E.E.E > block in quick on $if inet proto protocol from ! {<lista>,<listb> } to > D.D.D.D,... port ... > instead of using: > pass in quick on $if inet proto protocol from {<lista>,<listb> } to > D.D.D.D ... port ... > block in quick on $if inet proto protocol from any to D.D.D.D ... port ... > > > > > > > >