cluber, в принципе я думаю правильно. но проще как в мане написано
Код:
If you administer one or more subnets, you can take advantage of the
address sets and or-blocks and write extremely compact rulesets which
selectively enable services to blocks of clients, as below:
goodguys="{ 10.1.2.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }"
badguys="10.1.2.0/24{8,38,60}"
ipfw add allow ip from ${goodguys} to any
ipfw add deny ip from ${badguys} to any
... normal policies ...
