counting (not) blocks of IPs in ipfw - please help
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Thu Jul 13 18:54:21 UTC 2006
Hello!
On Wed, 12 Jul 2006, Brian Candler wrote:
> Firstly, "from any XXX" is giving two different 'from' items. I guess you
> meant "from not { 10.20.0.0/16 or 10.30.0.0/16 }". But that doesn't work
> either:
>
> # ipfw add 00100 count ip from not { 10.20.0.0/16 or 10.30.0.0/16 } to any
> via fxp0 in
> ipfw: hostname ``{'' unknown
>
> ...
> The obvious boolean transformation doesn't work, since "and" is not allowed
> either: i.e.
>
> # ipfw add 00100 count ip from { not 10.20.0.0/16 and not 10.30.0.0/16 } to
> any via fxp0 in
> ipfw: missing ")"
Correct, there is no 'and' keyword in ipfw syntax, since it's redundant:
a simple ',' in address list means 'and'. So this can be written as:
ipfw add 100 count ip from not 10.20.0.0/16,10.30.0.0/16 to any via fxp0 in
since 'not' in the src and dst definitions refers to the whole list:
addr: [not] {any | me | me6 table(number[,value]) | addr-list | addr-set}
(an '|' is missing between 'me6' and 'table...' here, isn't it?)
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-net
mailing list