On Fri, 2007-03-16 at 19:29 +0100, Almir Karic wrote:
> the {} thingy is strictly text expansion, which means your rules expand to:
>
> pass out on bge0 from <inside> to any
> pass out on bge0 from <inside> to !<outside>
> pass out on bge0 from <inside> to any
> pass out on bge0 from <inside> to !<llcidr>
>
> if you use ''pfctl -sr'' you will see that we were right.
I never disputed that, but in that same vein no one has bothered to
correct my mistake, just continued to point it out.
very simply, this thread could have ended a day or two ago if the
following process would have taken place:
1) is my syntax wrong? YES
2) OK, what is wrong with it? Pointed out and understood.
3) Good, now what is the correct syntax?
number 3 is where we sit. I understand that the {} syntax is for text
expansion. What I don't understand is whether when someone use {}, is
the list evaluated as a logical AND or a logical OR? If AND, then the
following should work:
pass out on bge0 from <inside> to { any, !<outside>, !<inside> }
which would evaluate to 'pass ... to (all AND NOT <outside> AND NOT
<inside>)'. But as this is not happening, it leads me to believe that
the {} expansion is evaluated as an OR list. Assuming that is the case,
how does one go about evaluated the list with AND logic?
when you define a table thusly:
table <foo> const { 10.0.4.0/24, !10.0.4.35 }
according to the documentation, that evaluates to 'the entire 10.0.4.0
subnet EXCEPT 10.0.4.35'. is it just by design that when defining a
table, {} is treated differently than when it is used in a rule?
now. given that I have a default block all rule, is it possible to allow
out ALL traffic EXCEPT those packets bound for the addresses listed in
the <outside> and <llcidr> tables without the need for more block rules?
thanks.
ryanc
--
Ryan Corder <[EMAIL PROTECTED]>
Systems Engineer, NovaSys Health LLC.
501-219-4444 ext. 646
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
