[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT negation



On Thu, Jul 25, 2002 at 11:20:34AM -0500, Chris Wage wrote:
> That was actually a typo on my behalf. I meant { ! 1.2.3.4/32, !
> 1.2.3.6/32 } like you said as well, however this has not worked for me
> either. In fact, when I use that syntax, neither IP is excluded.

You may want both to analyse how a list is expanded by pfctl.

In both OpenBSD 3.0 and 3.1, you can do (see the pfctl man page):

"pfctl -s n" for nat.conf rules
"pfctl -s r" for pf.conf rules

After you'll see the results, you'll understand by yourself why the
! operator doesn't work well in lists. 

> 
> --Chris
> 
> On Thu, Jul 25, 2002 at 10:59:00PM +0200, Claudio Jeker wrote:
> > On Thu, Jul 25, 2002 at 10:13:54 -0500, Chris Wage wrote:
> > > Hi, I have a question regarding the negation (!) operator's use.
> > >
> > > I have been trying for some time now to figure out a way to exclude
> > > more than one host from redirection in NAT and failing.
> > >

In OpenBSD 3.1, you can use the "no" keyword on both rdr and nat
rules to negate a rule, see nat.conf web page.

no rdr on dc0 proto tcp from any to 1.2.3.4/32 port 21
no rdr on dc0 proto tcp from any to 1.2.3.6/32 port 21
rdr on dc0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081

Because nat/rdr rules are first match, the execptions will be cought
by the no rules.

I don't remember for OpenBSD 3.0.

-- 
Hugo Villeneuve <hugo_(_at_)_EINTR_(_dot_)_net>
http://EINTR.net/