From owner-freebsd-security Thu Aug 16 11:33:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe60.law12.hotmail.com [64.4.18.195]) by hub.freebsd.org (Postfix) with ESMTP id 4F45B37B40C; Thu, 16 Aug 2001 11:33:07 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Aug 2001 11:33:07 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: , Cc: References: <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com> <20010816095615.C4232@blossom.cjclark.org> Subject: Re: Easy IPFW question... Date: Thu, 16 Aug 2001 13:33:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 16 Aug 2001 18:33:07.0145 (UTC) FILETIME=[E4A09390:01C12681] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Thanks for the help ya'll. I got this fixed, I think what the deal was was I had the rule placed below some other rules that allowed traffic... stupid mistake... The rule I ended up keeping was this: ipfw add deny log all from 192.168.0.1/16 to any via ed0 I tested this using another machine on my network, and it worked great. Thanks! Jordan ----- Original Message ----- From: "Crist J. Clark" To: "Nate Williams" Cc: "Peter Pentchev" ; "default - Subscriptions" ; ; Sent: Thursday, August 16, 2001 11:56 AM Subject: Re: Easy IPFW question... > On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > > 255.255.0.0 ... > > > > > > > > The rule I tried was this: > > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > > also zeroed in the address. > > > > If so, then the ipfw parser is borken. :( > > > > It *shouldn't* matter what the last two bytes in this case are, as it > > doesn't matter to any of the other routing protocols. > > I cannot reproduce this. On a 4.4-PREPRELEASE system, > > vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any > 01000 count ip from 192.168.0.0/16 to any > vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any > 01001 count ip from 192.168.0.0/16 to any > vegeta# ipfw sh > 01000 12 1268 count ip from 192.168.0.0/16 to any > 01001 12 1268 count ip from 192.168.0.0/16 to any > 65000 17743 4318556 allow ip from any to any > 65535 0 0 deny ip from any to any > > The host bits are automatically zeroed in my first ipfw(8) > command. What version is the original poster using? What do the rules > look like when he does a 'show?' This might not be his problem at > all. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message