Date: Tue, 20 Nov 2001 15:33:35 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Specififying IPFW unpriveleged port ranges with a mask Message-ID: <20011120213335.GA44741@dan.emsphone.com> In-Reply-To: <6463.1006291210@axl.seasidesoftware.co.za> References: <20011120193021.GE13254@dan.emsphone.com> <6463.1006291210@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Nov 20), Sheldon Hearn said: > On Tue, 20 Nov 2001 13:30:21 CST, Dan Nelson wrote: > > How about just use range syntax: 1024-65535? I'm not sure why > > someone would want to use port:mask notation. > > Because of the IP_FW_MAX_PORTS limitation? See ipfw(8). Have I > misunderstood the page? To store a port range or port:mask, ipfw uses 2 entries in the ports array to store lo+hi, or port+mask, and sets a bit in the rule's 'flags' field saying "first 2 ports are a range / mask". Take a look at /usr/include/netinet/ip_fw.h, and the flags: IP_FW_F_SRNG IP_FW_F_DRNG IP_FW_F_SMSK IP_FW_F_DMSK A side-effect of this is that you may only use a one range or port:mask clause (and not both) in each rule, and up to IP_FW_MAX_PORTS-2 other ports. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011120213335.GA44741>