[ndbug] PF question
Hrishikesh Murukkathampoondi
hrishim at gmail.com
Thu Apr 30 06:53:26 EDT 2015
Hi
I have a PF related question.
The macros section of PF FAQ (http://www.openbsd.org/faq/pf/macros.html) says
-----
Beware of constructs like the following, dubbed "negated lists", which are a common mistake:
pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
While the intended meaning is usually to match "any address within 10.0.0.0/8, except for 10.1.2.3", the rule expands to:
pass in on fxp0 from 10.0.0.0/8
pass in on fxp0 from !10.1.2.3
——
But doesn’t PF apply the last matching rule? That means, in this example, 10.1.2.3 will be blocked (as desired) and any other address conforming to 10.0.0.0/8 will be passed through.
Thanks
Hrishi
More information about the talk
mailing list