0

Any ideas why this rule won't parse?

ipfw add 10 deny ip from \{ not 127.0.0.1 and not 10.12.34.0/24 \} to any 53 out xmit wan0

ipfw doesn't like and and says: ipfw: missing ")"

I've tried other variants, for example, putting the not in front of the brace expression, putting the two IPs in a table and then saying not table(xyzzy) and nothing will work.

Is there a way to express this with ipfw?

pnadeau
  • 43
  • 4
  • Placing `and` inside braces is not valid syntax. Placing `not` in front of braces is not valid syntax. However, placing `not` in front of a `table` declaration should be valid. – Richard Smith Jan 29 '21 at 10:30
  • Additionally, sets of alternative match patterns (or-blocks) can be constructed by putting the patterns in lists enclosed between parentheses ( ) or braces { }, and using the or operator as follows: ipfw add 100 allow ip from { x or not y or z } to any **(Citing from ipfw(5) )** – pnadeau Feb 01 '21 at 21:02
  • Exactly, you have used `and`, but the manual only mentions using `or`. – Richard Smith Feb 01 '21 at 21:07

1 Answers1

0

As already mentioned in comments, inside an {...} or-block the individual options can only be grouped with or conditions. An and condition is implicitely assumed for all the present options, and a not condition can be prefixed to any single option. In the old syntax the rule would be written like this:

ipfw add 10 deny ip from not 127.0.0.1,10.12.34.0/24 to any 53 out xmit wan0

Alternatively, with the new syntax, which does not require from ... to, and instead consists only of a list of arbitrary options:

ipfw add 10 deny proto ip not src-ip 127.0.0.1 not src-ip 10.21.34.0/24 dst-port 53 out xmit wan0
PMc
  • 31
  • 2