Negation in tables for packet filter

Erik Norgaard norgaard at
Sun Jan 28 13:58:58 UTC 2007


I want to create two tables in my packet filter, the first should match 
any valid public ip, so I created a table negating anything reserved:

table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
                    !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }

So with the above I should be able to correctly NAT anything going to 
the internet and the rest should not be NAT'ed - either it is locally 
routable or should be blocked.

nat on $dsn_if from { <super> <users> <free> } \
     to <internet> -> ($dsn_if)

This doesn't work as expected, instead I have to remove all negations in 
the table and create a non-internet table and negate that in the nat 
rule. Shouldn't they work equivalently? (I also want to use the 
<internet> table in my filter rules, so I like to define a table).

The second should match unknown local hosts, I have three tables with 
different registered hosts with different access levels, I want to 
redirect unknown hosts to a page explaining what to do to get registered,

rdr on $wlan_if proto tcp from { $wlan_net !<super> !<users> !<free> } \
     to <internet> port http -> port 8000

This doesn't work either, the table is expanded to four rdr rules, and 
they are applied before the nat - even if I place it after in the 
ruleset, so I can't just remove the !<table> and have the rdr catch up 
all that is not nat'ed in the previous nat-rule.

So, how do I create my nat rules so they work as expected - or that is, 
that work as I want?

Thanks, Erik

Ph: +34.666334818                      web:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3408 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the freebsd-questions mailing list