From owner-freebsd-questions@FreeBSD.ORG Wed May 2 22:48:58 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E90D616A402 for ; Wed, 2 May 2007 22:48:58 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 8C31C13C458 for ; Wed, 2 May 2007 22:48:58 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 43032 invoked by uid 1002); 2 May 2007 22:48:58 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.107.100):. Processed in 6.271963 secs); 02 May 2007 22:48:58 -0000 Received: from unknown (HELO ?192.168.1.210?) (steve@ibctech.ca@208.70.107.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 May 2007 22:48:51 -0000 Message-ID: <46391556.6070108@ibctech.ca> Date: Wed, 02 May 2007 18:48:54 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Tun Eler References: <20070502202911.01FDD7AEB8@ws5-10.us4.outblaze.com> <20070502205030.DD658CA0A4@ws5-11.us4.outblaze.com> In-Reply-To: <20070502205030.DD658CA0A4@ws5-11.us4.outblaze.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: IP FILTER and network address X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2007 22:48:59 -0000 Tun Eler wrote: >> Appending your IP with /8 ends you up with two rules that essentially >> look like this (AFAIK): >> >> pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 >> flags S keep state >> > > Oh, off course. I was applying the rule in the wrong direction, from the right to the left. Silly :-) I don't quite know what you mean, but /32 is the single (host) IP, much like: 192.168.1.3/24 == 192.168.1.1 - 192.168.1.254 (entire 192.168.1 network) and: 172.16.28.18/16 == 172.16.0.1 - 172.16.255.254 (entire 172.16 network) ...what you had was the entire 217. network ;) Appending a /32 to an address means this address, and only this address. Regards, Steve