Good evening to everyone ... I am trying to drop some especific ports to especific ip in internel private ips ... My rule is this : DROP net local:192.168.0.100,192.168.0.254 tcp 1863,5190,6257,6679 the ports are autoexplanatory ... I want to drop all ips from 192.168.0.100 thru 192.168.0.254 but it did not work ... What I am doing wrong ? Fábio Rabelo ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
--On April 28, 2008 8:19:59 PM -0300 Fábio Rabelo <fabio@fabiorabelo.wiki.br> wrote:> Good evening to everyone ... > I am trying to drop some especific ports to especific ip in internel > private ips ... > My rule is this : > > DROP net local:192.168.0.100,192.168.0.254 tcp > 1863,5190,6257,6679 > > the ports are autoexplanatory ... > I want to drop all ips from 192.168.0.100 thru 192.168.0.254 but it did > not work ... > What I am doing wrong ?It's a list, not a range. If you want to block a range you must use CIDR notation. EG 192.168.0.0/24 to match 0-255. etc.> > Fábio Rabelo > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/ja > vaone _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
But I do not want to block the entire ip block, just all over 192.168.0.100, I want theips below 100 ( 192.168.0.1 thru 192.168.0.99 ) to be not blocked ... There is a way ? Fábio Rabelo 2008/4/28 Michael Loftis <mloftis@wgops.com>:> > > --On April 28, 2008 8:19:59 PM -0300 Fábio Rabelo > <fabio@fabiorabelo.wiki.br> wrote: > > > Good evening to everyone ... > > I am trying to drop some especific ports to especific ip in internel > > private ips ... > > My rule is this : > > > > DROP net local:192.168.0.100,192.168.0.254 tcp > > 1863,5190,6257,6679 > > > > the ports are autoexplanatory ... > > I want to drop all ips from 192.168.0.100 thru 192.168.0.254 but it did > > not work ... > > What I am doing wrong ? > > It''s a list, not a range. If you want to block a range you must use CIDR > notation. EG 192.168.0.0/24 to match 0-255. etc. > > > > > Fábio Rabelo > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > > Don''t miss this year''s exciting event. There''s still time to save $100. > > Use priority code J8TL2D2. > > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/ja > > vaone _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > -- > "Genius might be described as a supreme capacity for getting its > possessors > into trouble of all kinds." > -- Samuel Butler > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Fábio Rabelo wrote:> Good evening to everyone ... > I am trying to drop some especific ports to especific ip in internel > private ips ... > My rule is this : > > DROP net local:192.168.0.100,192.168.0.254 tcp > 1863,5190,6257,6679 > > the ports are autoexplanatory ... > I want to drop all ips from 192.168.0.100 thru 192.168.0.254 but it did > not work ... > What I am doing wrong ?You need 192.168.0.100-192.168.0.254 with a "-" (you have 192.168.0.100,192.168.0.254 with a ",") -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Fábio Rabelo wrote:>But I do not want to block the entire ip block, >just all over 192.168.0.100, I want theips below >100 (192.168.0.1 thru 192.168.0.99 ) to be not >blocked ... >There is a way ?Rewind a few years, and I was involved in a large networking project (global WAN) with our parent company and it''s other member companies. I made comments then (that were ignored) that I''ll make now ... If you thought about your addressing in binary then you wouldn''t have a problem. A tidy way to deal with such issues is to arrange for your addressing blocks to fit maskable boundaries. In our case they (thinking in decimal) wanted a scheme like .1-.10 for routers, .11-.20 for network gear (switches etc), 21-39 for servers, .41-.60 for printers, and so on. On my network I implemented .1-.15 for routers, .16-.23 for network gear, .24-.47 for servers (not quite as elegant, it''s two ranges), .48-.79 for printers (ditto, it''s two ranges) and so on. I never did manage to persuade anyone else of the benefit to troubleshooting - but hey, if they want to make life difficult for themselves then that''s their problem. So if you put your clients at 128 and above, you could apply 192.168.0.128/25 to select them. This does however include the subnet broadcast address, so you may need to allow for this in some situations (your desired rule wouldn''t be bothered since I doubt if any of that traffic is (or should be) broadcast). And if the answer is that you need more than 127 client addresses available, I''ll point out that 192.168.n.n addresses have over 65,000 available to choose from - you don''t have to restrict yourself to just 254 ! ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone