[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT negation

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: NAT negation
From: Claudio Jeker <cjeker_(_at_)_ee_(_dot_)_ethz_(_dot_)_ch>
Date: Thu, 25 Jul 2002 22:59:00 +0200
Mail-followup-to: Claudio Jeker <cjeker_(_at_)_ee_(_dot_)_ethz_(_dot_)_ch>, misc_(_at_)_openbsd_(_dot_)_org

On Thu, Jul 25, 2002 at 10:13:54 -0500, Chris Wage wrote:
> Hi, I have a question regarding the negation (!) operator's use.
> 
> I have been trying for some time now to figure out a way to exclude
> more than one host from redirection in NAT and failing.
> 

<SNIP>

> rdr on dc1 proto tcp from any to { ! 1.2.3.4/32, 1.2.3.6/32 } port 21
> -> 127.0.0.1 8081
> 
> -- This rule loads fine however doesn't work as you might expect, I
> suppose because it evals into two separate rules which essentially
> conflict with eachother because ! 1.2.3.4/32 is a subset that
> intersects with ! 1.2.3.6/32.
> 
> Can anyone point me in the right direction?
> 

This rule expands to:
rdr on dc1 proto tcp from any to ! 1.2.3.4/32 port 21 -> 127.0.0.1 8081
rdr on dc1 proto tcp from any to   1.2.3.6/32 port 21 -> 127.0.0.1 8081

The correct rule should be:
rdr on dc1 proto tcp from any to { ! 1.2.3.4/32, ! 1.2.3.6/32 } port 21 ->
127.0.0.1 8081

-- 
:wq Claudio

Follow-Ups:
- Re: NAT negation
  - From: Henning Brauer

References:
- NAT negation
  - From: Chris Wage

Prev by Date: Re: pf: to scrub or not to scrub?
Next by Date: Re: NAT negation
Previous by thread: NAT negation
Next by thread: Re: NAT negation
Index(es):
- Date
- Thread

Visit your host, monkey.org