When setting a rule to use source/destination address lists it would be helpful to be able to choose more than one, this would give you great flexibility.
For example, you have several Class Cs that you know are mainly illegitimate traffic you wish to block outbound traffic to it, so you put in:
add chain=forward dst-address-list=BlacklistedCs-addr action=drop comment="Drop Known Illegitimate outbound" disabled=no
add list=BlacklistedCs-addr address=206.142.17.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=211.7.81.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=207.243.117.0/24 comment="" disabled=no
This does properly block all 3 Class Cs you wished to, however a customer calls complaining they cant reach a speficif website, when you check the specific IP it is 211.7.81.87, which of course is inside the 211.7.81.0 Class C your blocking.
To correct this currently you need to edit your original rule to:
add chain=forward dst-address=!211.7.81.87/32 dst-address-list=BlacklistedCs-addr action=drop comment="Drop Known Illegitimate outbound" disabled=no
This accomplishes this just fine, UNTIL customer #2 calls and they visit a website at 207.243.117.13
So now your in a pickle, you cant just make a second address-list and exclude it, as you can only pick one, so your stuck.
My current solution is now this (many extra steps for something that should be simple):
;;Modified rule to jump to a handling routine instead of simple exclude
add chain=forward dst-address-list=BlacklistedCs-addr action=jump jump-target=blacklist-handling comment="Jumpt to handle Illegitimate access" disabled=no
;;Chain Handling Blacklisted
add chain=blacklist-handling dst-address-list=Exc-BlacklistedCs-addr action=accept comment="Do not dump Excluded IPs" disabled=no
add chain=blacklist-handling action=drop comment="Drop any not passing exlusions" disabled=no
;;Blacklisted Class Cs
add list=BlacklistedCs-addr address=206.142.17.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=211.7.81.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=207.243.117.0/24 comment="" disabled=no
;;Allowed single IPs inside the Class Cs to function
add list=Exc-BlacklistedCs-addr address=211.7.81.87/32 comment="" disabled=no
add list=Exc-BlacklistedCs-addr address=207.243.117.13/32 comment="" disabled=no
My suggestion would work something like this to accomplish the same thing:
;;Only Change from original is a second dst-address-list to match or not match, in this case, not match:
add chain=forward dst-address-list=BlacklistedCs-addr dst-address-list=!Exc-BlacklistedCs-addr action=drop comment="Drop Known Illegitimate outbound" disabled=no
;;Utilizing Same Address Lists as above
add list=BlacklistedCs-addr address=206.142.17.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=211.7.81.0/24 comment="" disabled=no
add list=BlacklistedCs-addr address=207.243.117.0/24 comment="" disabled=no
add list=Exc-BlacklistedCs-addr address=211.7.81.87/32 comment="" disabled=no
add list=Exc-BlacklistedCs-addr address=207.243.117.13/32 comment="" disabled=no