On Thu, 2007-03-15 at 22:42 +0000, Stuart Henderson wrote: > No, that would expand to three rules, one passing all traffic from > <inside> and the other two as above. > > you either need: > > pass out on bge0 from <inside> > block out on bge0 from <inside> to { <outside>, <llcidr> } > > or: > > block quick out on bge0 from <inside> to { <outside>, <llcidr> } > pass out on bge0 from <inside> >
alright, but I already have a default "block everything" rule, why would I need additional block rules? > alternatively you could have a combined table containing both > outside and llcidr sets of addresses, but you can't nest tables > so it's probably more work to maintain. which is too bad. alternatively, I did this and it seemed to work pass out on bge0 from <inside> to { any, !<outside> } pass out on bge0 from <inside> to { any, !<llcidr> } -- Ryan Corder <[EMAIL PROTECTED]> Systems Engineer, NovaSys Health LLC. 501-219-4444 ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]