On 2007/03/15 16:00, Ryan Corder wrote:
> > pass out to everyone-apart-from-outside
> > pass out to everyone-apart-from-llcidr
> > This blocks only the intersection of outside and llcidr
> > (probably nobody).
>
> ok, so I want:
>
> pass out to everyone-except-from-outside
> pass out to everyone-except-from-llcidr
That's what you're doing now with the { x, y } syntax in a rule,
but it's not what you want: it expands to two fully independent rules,
the first passes almost all traffic from <inside>, and the second rule
passes almost all traffic from <inside>.
> would that be:
>
> pass out on bge0 from <inside> to { any, !<outside>, !<llcidr> }
No, that would expand to three rules, one passing all traffic from
<inside> and the other two as above.
you either need:
pass out on bge0 from <inside>
block out on bge0 from <inside> to { <outside>, <llcidr> }
or:
block quick out on bge0 from <inside> to { <outside>, <llcidr> }
pass out on bge0 from <inside>
alternatively you could have a combined table containing both
outside and llcidr sets of addresses, but you can't nest tables
so it's probably more work to maintain.
the PF faq has something on the subject (tables.html, macros.html).
