First of all this is bogus - where is 'src' or 'dst' - a socket with no
specifier should never be used. AFAIK behavior is undefinied.
And even if it were there, this would permit connections to ALL ports!
An port over 4999 would see rule 1 and be permitted. Any port under 5000
would not match and would see rule two - and being less than 5011 would
be permitted! So all packets to 10.1.1.1/32 would be ok!
I've done this sort of thing countless times.
You want
1 deny x.x.x.0/24 10.1.1.1/32 dst gt 5010
2 permit x.x.x.0/24 10.1.1.1/32 dst gt 4999
3 deny
Anything over 5010 is denied by rule 1, then anything over 4999 is
permitted by rule two - but this has already been capped at 5010 by
rule one. Then anything less than 5000 is denied.
-MZ
-- <URL:mailto:megazone@megazone.org> Gweep, author, webmaster, human being, me "A little nonsense now and then, is relished by the wisest men" 508-791-9803 <URL:mailto:megazone@gweep.net> <URL:http://www.megazone.org/> Hail Discordia!- To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>