On 26 February 2010 c. 20:23:31 Leonardo Carneiro - Veltrac wrote: > Is it possible to write a rule based on a arbitrary ip rule instead > using a full subnet as source address like this? > > hosts_allowed="{ 192.168.0.21-40 }" > > And even using a single host on this following rule, i get a syntax > error. Can someone point what is wrong? > > host_allowed="192.168.0.21" > im_server="192.168.1.2" > block out on $inet_iface inet proto tcp from ! { $host_allowed, > $im_server } to any port 1863
At first, this rule will NOT do what you think it will do. It expands (theoretically) to two rules: block out on $inet_iface inet proto tcp from ! $host_allowed \ to any port 1863 block out on $inet_iface inet proto tcp from ! $im_server \ to any port 1863 As the result, all traffic will be blocked: traffic from $im_server will be blocked by the first rule, and traffic from $host_allowed will be blocked by the second one. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?