On 2/12/07, Artyom Goryainov <[EMAIL PROTECTED]> wrote:
block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if port 80
You will probably want to see the PF FAQ [1] on this, specifically the
section on Lists and Macros. It tells you why you should use tables
for this purpose. The list expands to a set of separate single rules,
for !$me and !$mynet respectively.
To quote from the FAQ:
Beware of constructs like the following, dubbed "negated lists", which
are a common mistake:
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
While the intended meaning is usually to match "any address within
10.0.0.0/8, except for 10.1.2.3", the rule expands to:
pass in on fxp0 from 10.0.0.0/8
pass in on fxp0 from !10.1.2.3
References:
1. PF FAQ - Lists and Macros
http://www.openbsd.org/faq/pf/macros.html
--
If you don't know where you're going, any road will get you there.
