[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RDR rule for ftp-proxy



Clears things up. Moved list to a table and all works as expected.
Thanks
SM
-----Original Message-----
From: Daniel Hartmeier [mailto:[email protected]] 
Sent: Monday, November 08, 2004 8:43 PM
To: Maat, Steve
Cc: [email protected]
Subject: Re: RDR rule for ftp-proxy
On Mon, Nov 08, 2004 at 05:21:46PM -0500, Maat, Steve wrote:
> rdr on em0 proto tcp \ 
> 	from { !152.12.29.195 , 152.12.0.0/16 } \
> 	to any port 21 -> 127.0.0.1 port 8021
This is a frequently asked question, which the FAQ didn't answer so far,
the following paragraph was just added:
   Beware of constructs like the following, dubbed "negated lists",
which
   are a common mistake:
                        
     pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }
   While the intended meaning is usually to match "any address within
   10.0.0.0/8, except for 10.1.2.3", the rule expands to:
   
     pass in on fxp0 from 10.0.0.0/8
     pass in on fxp0 from !10.1.2.3
                              
   which matches any possible address. Instead, a table should be used. 
Let me know if this doesn't clear things up completely, as in that case
the FAQ needs adjusting, too ;)
Daniel