Date: Thu, 16 Aug 2001 09:56:15 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: Nate Williams <nate@yogotech.com> Cc: Peter Pentchev <roam@ringlet.net>, default - Subscriptions <default013subscriptions@hotmail.com>, freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Easy IPFW question... Message-ID: <20010816095615.C4232@blossom.cjclark.org> In-Reply-To: <15224.895.861427.828038@nomad.yogotech.com>; from nate@yogotech.com on Mon, Aug 13, 2001 at 10:42:39AM -0600 References: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com> <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > 255.255.0.0 ... > > > > > > The rule I tried was this: > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > also zeroed in the address. > > If so, then the ipfw parser is borken. :( > > It *shouldn't* matter what the last two bytes in this case are, as it > doesn't matter to any of the other routing protocols. I cannot reproduce this. On a 4.4-PREPRELEASE system, vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any 01000 count ip from 192.168.0.0/16 to any vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any 01001 count ip from 192.168.0.0/16 to any vegeta# ipfw sh 01000 12 1268 count ip from 192.168.0.0/16 to any 01001 12 1268 count ip from 192.168.0.0/16 to any 65000 17743 4318556 allow ip from any to any 65535 0 0 deny ip from any to any The host bits are automatically zeroed in my first ipfw(8) command. What version is the original poster using? What do the rules look like when he does a 'show?' This might not be his problem at all. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816095615.C4232>