Robert Chalmers
2003-Dec-23 20:09 UTC
address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
The man page gives this example, however, when I attempt to use it, it seems
to block the whole set?
Could someone tell me what's going wrong here please. Thanks heaps..
This works,
${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}
This blocks the whole IP block, not just the list?
${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19
9,204-254} in via ${oif}
the man page bit...
list: {num | num-num}[,list]
Matches all addresses with base address addr (specified as a
dot-
ted quad or a hostname) and whose last byte is in the list
between braces { } . Note that there must be no spaces between
braces and numbers (spaces after commas are allowed). Elements
of the list can be specified as single entries or ranges. The
masklen field is used to limit the size of the set of
addresses,
and can have any value between 24 and 32. If not specified, it
will be assumed as 24.
This format is particularly useful to handle sparse address
sets
within a single rule. Because the matching occurs using a bit-
mask, it takes constant time and dramatically reduces the com-
plexity of rulesets.
As an example, an address specified as 1.2.3.4/24{128,35-55,89}
will match the following IP addresses:
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
Thanks
Robert
hugle
2003-Dec-23 22:25 UTC
address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
RC> The man page gives this example, however, when I attempt to use it, it
seems
RC> to block the whole set?
RC> Could someone tell me what's going wrong here please. Thanks heaps..
RC> This works,
RC> ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}
RC> This blocks the whole IP block, not just the list?
RC> ${fwcmd} add deny log all from any to
RC> 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}
maybe "156-19 9" ? You have a space ( " " ) in here, so try
out:
${fwcmd} add deny log all from any to
203.1.96.0/24{2,6-25,27-154,156-199,204-254} in via ${oif}
RC> the man page bit...
RC> list: {num | num-num}[,list]
RC> Matches all addresses with base address addr (specified as a
RC> dot-
RC> ted quad or a hostname) and whose last byte is in the list
RC> between braces { } . Note that there must be no spaces
between
RC> braces and numbers (spaces after commas are allowed).
Elements
RC> of the list can be specified as single entries or ranges.
The
RC> masklen field is used to limit the size of the set of
RC> addresses,
RC> and can have any value between 24 and 32. If not specified,
it
RC> will be assumed as 24.
RC> This format is particularly useful to handle sparse address
RC> sets
RC> within a single rule. Because the matching occurs using a
bit-
RC> mask, it takes constant time and dramatically reduces the
com-
RC> plexity of rulesets.
RC> As an example, an address specified as
1.2.3.4/24{128,35-55,89}
RC> will match the following IP addresses:
RC> 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
RC> Thanks
RC> Robert
RC> _______________________________________________
RC> freebsd-security@freebsd.org mailing list
RC> http://lists.freebsd.org/mailman/listinfo/freebsd-security
RC> To unsubscribe, send any mail to
RC> "freebsd-security-unsubscribe@freebsd.org"
zk
2003-Dec-27 03:56 UTC
address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
On Wed, Dec 24, 2003 at 02:09:12PM +1000, Robert Chalmers wrote:> The man page gives this example, however, when I attempt to use it, it seems > to block the whole set? > > Could someone tell me what's going wrong here please. Thanks heaps.. > > This works, > ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif} > > This blocks the whole IP block, not just the list? > ${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif} >Do you use ipfw2? It's not default on FreeBSD 4.x systems. And maybe you should quote {} ${fwcmd} add deny log all from any to '203.1.96.0/24{2,6-25,27-154,156-199,204-254}' (...) zk