Excluding an address

The firewall rule shown in the following example allows all traffic from the 172.16.1.0/24 network except traffic to the 192.168.1.100 server.

To create an instance that excludes an address, perform the following steps in configuration mode.

Table 1. Excluding an address
Step	Command
Create the configuration node for the FWTEST-5 firewall instance and its rule 10. Give a description for the rule.	`vyatta@R1# set security firewall name NEGATED-EXAMPLE rule 10 description "Allow all traffic from LAN except to server 192.168.1.100"`
Allow all traffic that matches the rule to be accepted.	`vyatta@R1# set security firewall name NEGATED-EXAMPLE rule 10 action accept`
Allow any traffic from the 172.16.1.0/24 network that matches the rule to be accepted.	`vyatta@R1# set security firewall name NEGATED-EXAMPLE rule 10 source address 172.16.1.0/24`
Allow traffic destined anywhere except the 192.168.1.100 destination address that matches the rule to be accepted. That traffic does not match the rule and invokes the implicit “reject all” rule.	`vyatta@R1# set security firewall name NEGATED-EXAMPLE rule 10 destination address !192.168.1.100`
Apply the NEGATED-EXAMPLE instance to inbound packets on dp0p1p1.	`vyatta@R1# set interfaces dataplane dp0p1p1 firewall in NEGATED-EXAMPLE`
Commit the configuration.	`vyatta@R1# commit`
Show the configuration.	`vyatta@R1# show security firewall name NEGATED-EXAMPLE { rule 10 { action accept description "Allow all traffic from LAN except to server 192.168.1.100" destination { address !192.168.1.100 } source { address 172.16.1.0/24 } } } vyatta@R1# show interfaces dataplane dp0p1p1 dataplane dp0p1p1 { address 172.16.1.1/24 firewall { in NEGATED-EXAMPLE } }`

Vyatta documentation