Date: Fri, 17 Jan 1997 17:00:49 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: phk@critter.dk.tfs.com (Poul-Henning Kamp) Cc: hackers@freebsd.org Subject: Re: ipfw patches to test Message-ID: <199701170600.WAA12795@freefall.freebsd.org> In-Reply-To: <2879.853470405@critter.dk.tfs.com> from "Poul-Henning Kamp" at Jan 17, 97 04:06:45 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Poul-Henning Kamp, sie said: > > In message <199701170143.RAA01789@freefall.freebsd.org>, Darren Reed writes: > >> > > > >> > > Basically you can now say > >> > > > >> > > ipfw add deny !from 192.168.23.0/30 to 140.145.230.0/24 > >> > > > >> > >> What's the difference between the above and > >> > >> ipfw add allow from 192.168.23.0/30 to 140.145.230.0/24 > >> ipfw add deny from any to 140.145.230.0/24 > > > > In the top case I can go on filter on the 192.168 -> 140.145 traffic, > in the bottom case it has all been allowed. You can filter on 192.168 -> 140.145, but you have to be more careful about how it is done, typically, you need the order to be most specific to most general. IP Filter handles this better; pass in from 192.168.23.0/32 to 140.145.230.0/24 block in from any to 140.145.230.0/24 - neither rule terminates the searching for more "matching" rules later in the list. You could describe this by saying the "pass" sets up a template which can be refined. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701170600.WAA12795>