From owner-freebsd-hackers Thu Jan 16 22:01:07 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id WAA12808 for hackers-outgoing; Thu, 16 Jan 1997 22:01:07 -0800 (PST) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id WAA12795 for ; Thu, 16 Jan 1997 22:00:58 -0800 (PST) Message-Id: <199701170600.WAA12795@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA130040849; Fri, 17 Jan 1997 17:00:50 +1100 From: Darren Reed Subject: Re: ipfw patches to test To: phk@critter.dk.tfs.com (Poul-Henning Kamp) Date: Fri, 17 Jan 1997 17:00:49 +1100 (EDT) Cc: hackers@freebsd.org In-Reply-To: <2879.853470405@critter.dk.tfs.com> from "Poul-Henning Kamp" at Jan 17, 97 04:06:45 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Poul-Henning Kamp, sie said: > > In message <199701170143.RAA01789@freefall.freebsd.org>, Darren Reed writes: > >> > > > >> > > Basically you can now say > >> > > > >> > > ipfw add deny !from 192.168.23.0/30 to 140.145.230.0/24 > >> > > > >> > >> What's the difference between the above and > >> > >> ipfw add allow from 192.168.23.0/30 to 140.145.230.0/24 > >> ipfw add deny from any to 140.145.230.0/24 > > > > In the top case I can go on filter on the 192.168 -> 140.145 traffic, > in the bottom case it has all been allowed. You can filter on 192.168 -> 140.145, but you have to be more careful about how it is done, typically, you need the order to be most specific to most general. IP Filter handles this better; pass in from 192.168.23.0/32 to 140.145.230.0/24 block in from any to 140.145.230.0/24 - neither rule terminates the searching for more "matching" rules later in the list. You could describe this by saying the "pass" sets up a template which can be refined. Darren