[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT negation

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: NAT negation
From: Hugo Villeneuve <harpagon_(_at_)_jwales_(_dot_)_EINTR_(_dot_)_net>
Date: Thu, 25 Jul 2002 18:15:43 -0400

On Thu, Jul 25, 2002 at 11:20:34AM -0500, Chris Wage wrote:
> That was actually a typo on my behalf. I meant { ! 1.2.3.4/32, !
> 1.2.3.6/32 } like you said as well, however this has not worked for me
> either. In fact, when I use that syntax, neither IP is excluded.

You may want both to analyse how a list is expanded by pfctl.

In both OpenBSD 3.0 and 3.1, you can do (see the pfctl man page):

"pfctl -s n" for nat.conf rules
"pfctl -s r" for pf.conf rules

After you'll see the results, you'll understand by yourself why the
! operator doesn't work well in lists. 

> 
> --Chris
> 
> On Thu, Jul 25, 2002 at 10:59:00PM +0200, Claudio Jeker wrote:
> > On Thu, Jul 25, 2002 at 10:13:54 -0500, Chris Wage wrote:
> > > Hi, I have a question regarding the negation (!) operator's use.
> > >
> > > I have been trying for some time now to figure out a way to exclude
> > > more than one host from redirection in NAT and failing.
> > >

In OpenBSD 3.1, you can use the "no" keyword on both rdr and nat
rules to negate a rule, see nat.conf web page.

no rdr on dc0 proto tcp from any to 1.2.3.4/32 port 21
no rdr on dc0 proto tcp from any to 1.2.3.6/32 port 21
rdr on dc0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

Because nat/rdr rules are first match, the execptions will be cought
by the no rules.

I don't remember for OpenBSD 3.0.

-- 
Hugo Villeneuve <hugo_(_at_)_EINTR_(_dot_)_net>
http://EINTR.net/

References:
- NAT negation
  - From: Chris Wage
- Re: NAT negation
  - From: Claudio Jeker

Prev by Date: Re: NAT negation
Next by Date: file I/O routines
Previous by thread: Re: NAT negation
Next by thread: Re: NAT negation
Index(es):
- Date
- Thread

Visit your host, monkey.org