Negation in tables for packet filter
Erik Norgaard
norgaard at locolomo.org
Tue Jan 30 19:18:25 UTC 2007
I got this response off-list:
Lowell Gilbert wrote:
> Erik Norgaard <norgaard at locolomo.org> writes:
>
>> table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
>> !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
>
> Think about it; this matches *everything*. All possible packets are
> in either !10/8 or !127/8. etc.
This is clear if tables are a simple or'ing of the entries, but the
documentation is somewhat confusing, they give this example
(http://www.openbsd.org/faq/pf/tables.html):
<quote>
table <goodguys> { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }
block in on dc0 all
pass in on dc0 from <goodguys> to any
* 172.16.50.5 - narrowest match is 172.16.0.0/16; packet matches the
table and will be passed
* 172.16.1.25 - narrowest match is !172.16.1.0/24; packet matches an
entry in the table but that entry is negated (uses the "!" modifier);
packet does not match the table and will be blocked
* 172.16.1.100 - exactly matches 172.16.1.100; packet matches the
table and will be passed
* 10.1.4.55 - does not match the table and will be blocked
</quote>
so maybe I should add 0/0 to the above list?
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3408 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070130/39d2f0d5/smime.bin
More information about the freebsd-questions
mailing list