From owner-freebsd-hackers Wed May 7 00:44:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA08445 for hackers-outgoing; Wed, 7 May 1997 00:44:16 -0700 (PDT) Received: from gw.itfs.nsk.su (gw.itfs.nsk.su [193.124.36.33]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id AAA08440 for ; Wed, 7 May 1997 00:44:07 -0700 (PDT) Received: from itfs.UUCP (uucp@localhost) by gw.itfs.nsk.su (8.6.12/8.6.12) with UUCP id OAA18846 for hackers@freebsd.org; Wed, 7 May 1997 14:30:20 +0700 Received: by itfs.nsk.su; Wed, 7 May 97 14:59:34 +0700 (NST) Received: (from daemon@localhost) by news.itfs.nsk.su (8.7.5/8.6.12) id OAA19815; Wed, 7 May 1997 14:35:20 +0700 (NSD) From: "Nickolay N. Dudorov" To: hackers@freebsd.org Subject: Re: divert still broken? Date: 7 May 1997 07:35:19 GMT Message-ID: <5kpbbn$j4n@news.itfs.nsk.su> References: Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 6 May 1997, Archie Cobbs wrote: > Proposal: > > deny : drop silently (same as before) > reject : send ICMP unreachable (same as before) [...good proposal snipped..] Looks great. > Anything else? :-) Can it be possible to extend 'negative' comparison logic to other filter components f.e. add 4032 deny all from xxx.xxx.xxx.0 to any out via not cx0 (or not via cx0 ?) Currently this is possible for src and dst addresses (and there is no more available flag bits ;-) N.Dudorov