From owner-freebsd-questions Wed Feb 26 13:41:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA05220 for questions-outgoing; Wed, 26 Feb 1997 13:41:07 -0800 (PST) Received: from cold.org (cold.org [206.81.134.103]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA05212 for ; Wed, 26 Feb 1997 13:41:01 -0800 (PST) Received: from localhost (brandon@localhost) by cold.org (8.8.5/8.8.3) with SMTP id OAA03515; Wed, 26 Feb 1997 14:40:07 -0700 (MST) Date: Wed, 26 Feb 1997 14:40:06 -0700 (MST) From: Brandon Gillespie To: "Jonathan M. Bresler" cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules problems (NOT operator?) In-Reply-To: <199702262103.NAA03088@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Brandon, > it seems to me that "deny all not from ${onet}:${omask} to any" > is the same as "allow all from ${onet}:${omask} to any" > > why not: > > allow packets from 206.81.134.0 > allow packets "filter based on protocol and port" > drop all other packets > > do i not understand what you wish to achieve? > in short it is not clear to me what packets you want to allow They are SORTOF equivalent, _except_ for I want to further add additional rules. When the packet matches 'allow all from blah' it drops out of the rule checking, and isn't effected anymore. This is NOT what I want--I want to further check for ports and protocols.