[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: possible to specify a range of port that are not equal.



On Wed, 13 Nov 2002, Duncan Matthew Stirling wrote:
>
> Is it possible to specify a range of port that are not equal. I tried
> this below and it didn't work.
>
> tcpservices="{  ftp, \
>                 telnet, \
>                 smtp, \
>                 domain, \
>                 www, \
>                 pop3, \
>                 auth, \
>                 netbios-ns, \
>                 netbios-dgm, \
>                 netbios-ssn, \
>                 irc, \
>                 https, \
>                 photuris, \
>                 isakmp, \
>                 548, \
>                 rsync, \
>                 1433, \
>                 mysql, \
>                 631 }"
>
> updservices="{  domain, \
>                 bootps, \
>                 bootpc, \
>                 ntp, \
>                 snmp, \
>                 snmp-trap, \
>                 548, \
>                 631 }"
>
> block in log quick on $ext inet proto tcp \
>         from $trusted port ! $tcpservices to any port $safe
>
> block in log quick on $ext inet proto udp \
>         from $trusted port ! $updservices to any
Negatation of host and port list is not possible.
Why don't you just do
pass in quick on $ext inet proto tcp from $trusted port $tcpservices to any port $safe keep state
pass in quick on $ext inet proto udp from $trusted port $updservices to any keep state
block in log quick all
Cheers,
Dries
-- 
Dries Schellekens
email: gwyllion@ulyssis.org