Date: Thu, 13 Jul 2006 21:59:25 +0300 (EEST) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org, Ensel Sharon <user@dhp.com> Subject: Re: counting (not) blocks of IPs in ipfw - please help Message-ID: <20060713215647.D73434@atlantis.atlantis.dp.ua> In-Reply-To: <20060713214311.T73434@atlantis.atlantis.dp.ua> References: <Pine.LNX.4.21.0607101838530.12027-100000@shell.dhp.com> <20060712083020.GA2607@uk.tiscali.com> <20060713214311.T73434@atlantis.atlantis.dp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Jul 2006, Dmitry Pryanishnikov wrote:
>> # ipfw add 00100 count ip from { not 10.20.0.0/16 and not 10.30.0.0/16 } to
>> any via fxp0 in
>> ipfw: missing ")"
>
> Correct, there is no 'and' keyword in ipfw syntax, since it's redundant:
> a simple ',' in address list means 'and'. So this can be written as:
Umm, sorry, of course ',' means 'or':
10.20.0.0/16,10.30.0.0/16 matches 10.20.0.0/16 OR 10.30.0.0/16
> ipfw add 100 count ip from not 10.20.0.0/16,10.30.0.0/16 to any via fxp0 in
Yet this construction is correct and means exactly that: packets NOT
from ( 10.20.0.0/16 OR 10.30.0.0/16).
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060713215647.D73434>