[ previous ] [ next ] [ threads ]
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] simplifying packet filter rules
 Date:  Tue, 13 Nov 2007 08:35:37 +0100
Exactly !
And if you have non aggregatable addressing you will have to put several "not" rules.
It would be nice to have a grouping function for hosts and networks...


Chris Buechler wrote:

> That's correct, but there are more logical and sensible ways to do
> this. Every site should use subnets that can be CIDR summarized. Then
> you can add subnets without changing any of this, and also permit to
> everything *but* your internal subnets in one rule by using
> destination "not" your internal subnets.
> For example, if you use,, etc. through
>, you can summarize with Then allow to
> destination "not" and you have what you're after.

This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.