On Fri, 2007-03-16 at 19:29 +0100, Almir Karic wrote: > the {} thingy is strictly text expansion, which means your rules expand to: > > pass out on bge0 from <inside> to any > pass out on bge0 from <inside> to !<outside> > pass out on bge0 from <inside> to any > pass out on bge0 from <inside> to !<llcidr> > > if you use ''pfctl -sr'' you will see that we were right.
I never disputed that, but in that same vein no one has bothered to correct my mistake, just continued to point it out. very simply, this thread could have ended a day or two ago if the following process would have taken place: 1) is my syntax wrong? YES 2) OK, what is wrong with it? Pointed out and understood. 3) Good, now what is the correct syntax? number 3 is where we sit. I understand that the {} syntax is for text expansion. What I don't understand is whether when someone use {}, is the list evaluated as a logical AND or a logical OR? If AND, then the following should work: pass out on bge0 from <inside> to { any, !<outside>, !<inside> } which would evaluate to 'pass ... to (all AND NOT <outside> AND NOT <inside>)'. But as this is not happening, it leads me to believe that the {} expansion is evaluated as an OR list. Assuming that is the case, how does one go about evaluated the list with AND logic? when you define a table thusly: table <foo> const { 10.0.4.0/24, !10.0.4.35 } according to the documentation, that evaluates to 'the entire 10.0.4.0 subnet EXCEPT 10.0.4.35'. is it just by design that when defining a table, {} is treated differently than when it is used in a rule? now. given that I have a default block all rule, is it possible to allow out ALL traffic EXCEPT those packets bound for the addresses listed in the <outside> and <llcidr> tables without the need for more block rules? thanks. ryanc -- Ryan Corder <[EMAIL PROTECTED]> Systems Engineer, NovaSys Health LLC. 501-219-4444 ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]