I really think this violates your intended "KISS" principle, and you
would be a lot better off by simply making a file that contains
/somefile and /someotherfile, and load all that into one a 3rd table to
be used when you want both, eg.
table <listab> persist file "/someotherotherfile"
block in quick on $if from ! <listab> to D.D.D.D...
However, another way to get the effect you want is:
pass in on $if from <lista> tag LISTAB
pass in on $if from <listb> tag LISTAB
block in quick on $if net from any to D.D.D.D ! tagged LISTAB
(you can use 'match' instead of 'pass' for the first 2 rules if you're
using a recent enough version of PF)
-Ryan
On Fri, Apr 08, 2011 at 06:39:47PM +0300, Bojidara Marinchovska wrote:
> Yes, I wrote about negation in tables, there is enough examples of its
> usage in the Book Of PF, but it is not what I need ( following KISS )
>
> Anyway thank you all
> I try to accomplish something which is correct to be done with no
> firewall but with other software and I try to use as simple as possible
> rules
>
> I have 2 types of lists with IPs which I put in tables (because these
> IPs changes often and I don't want to reload rules, it is easy to add
> just the new IP address)
>
> table<lista> persist file "/somefile"
> table<listb> persist file "/someotherfile"
>
> IPs from list A have to be able to access IP A.A.A.A,B.B.B.B,C.C.C.C,
> D.D.D.D and E.E.E.E for example ( protocol, port )
> IPs from list B have to be able to access for example only D.D.D.D and
> E.E.E.E
>
> # block access to A.A.A.A - C.C.C.C for all except listA
> block in quick on $if inet proto protocol from !<lista> to A.A.A.A...
> port ...
>
> # here I wanted to be able to use something like to allow listA and
> listB to access D.D.D.D and E.E.E.E
> block in quick on $if inet proto protocol from ! {<lista>,<listb> } to
> D.D.D.D,... port ...
> instead of using:
> pass in quick on $if inet proto protocol from {<lista>,<listb> } to
> D.D.D.D ... port ...
> block in quick on $if inet proto protocol from any to D.D.D.D ... port ...
>
>
>
>
>
>
>
>
