Solved: Negation in tables for packet filter
Erik Norgaard
norgaard at locolomo.org
Tue Feb 6 23:22:35 UTC 2007
Erik Norgaard wrote:
> I want to create two tables in my packet filter, the first should match
> any valid public ip, so I created a table negating anything reserved:
>
> table <internet> const { !0/8 !10/8 !127/8 !169.254/16 !172.16/12 \
> !192.0.2/24 !192.168/16 !198.18/15 !224/4 !240/4 }
Of course, I could do something different here, defining a table for
<local> networks and negate it. The rest should be caught by the
filtering rules anyway to block non-routable packets.
> I have three tables with
> different registered hosts with different access levels, I want to
> redirect unknown hosts to a page explaining what to do to get registered,
>
> rdr on $wlan_if proto tcp from { $wlan_net !<super> !<users> !<free> } \
> to <internet> port http -> 127.0.0.1 port 8000
This one is solved with:
no rdr on $wlan_if proto tcp from { <super> <users> <free> } \
to <internet> port http
rdr on $wlan_if proto tcp from $wlan_net to !<local> \
port http -> 127.0.0.1 port 8000
However, it would be nice to know if the documentation is incorrect, or
there is a difference in how negation is treated in nat and filter
respectively.
Thanks, Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3408 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070206/f5440f86/smime.bin
More information about the freebsd-questions
mailing list