[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT negation



On Thu, Jul 25, 2002 at 10:13:54 -0500, Chris Wage wrote:
> Hi, I have a question regarding the negation (!) operator's use.
> 
> I have been trying for some time now to figure out a way to exclude
> more than one host from redirection in NAT and failing.
> 

<SNIP>

> rdr on dc1 proto tcp from any to { ! 1.2.3.4/32, 1.2.3.6/32 } port 21
> -> 127.0.0.1 8081
> 
> -- This rule loads fine however doesn't work as you might expect, I
> suppose because it evals into two separate rules which essentially
> conflict with eachother because ! 1.2.3.4/32 is a subset that
> intersects with ! 1.2.3.6/32.
> 
> Can anyone point me in the right direction?
> 

This rule expands to:
rdr on dc1 proto tcp from any to ! 1.2.3.4/32 port 21 -> 127.0.0.1 8081
rdr on dc1 proto tcp from any to   1.2.3.6/32 port 21 -> 127.0.0.1 8081

The correct rule should be:
rdr on dc1 proto tcp from any to { ! 1.2.3.4/32, ! 1.2.3.6/32 } port 21 ->
127.0.0.1 8081

-- 
:wq Claudio