Date: Thu, 16 Aug 2001 13:33:04 -0500 From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org> Cc: <cjclark@alum.mit.edu> Subject: Re: Easy IPFW question... Message-ID: <OE60PPXUsQnZSFUcy9h00001a2b@hotmail.com> References: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com> <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com> <20010816095615.C4232@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Thanks for the help ya'll. I got this fixed, I think what the deal was was I had the rule placed below some other rules that allowed traffic... stupid mistake... The rule I ended up keeping was this: ipfw add deny log all from 192.168.0.1/16 to any via ed0 I tested this using another machine on my network, and it worked great. Thanks! Jordan ----- Original Message ----- From: "Crist J. Clark" <cristjc@earthlink.net> To: "Nate Williams" <nate@yogotech.com> Cc: "Peter Pentchev" <roam@ringlet.net>; "default - Subscriptions" <default013subscriptions@hotmail.com>; <freebsd-security@FreeBSD.ORG>; <freebsd-questions@FreeBSD.ORG> Sent: Thursday, August 16, 2001 11:56 AM Subject: Re: Easy IPFW question... > On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > > 255.255.0.0 ... > > > > > > > > The rule I tried was this: > > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > > also zeroed in the address. > > > > If so, then the ipfw parser is borken. :( > > > > It *shouldn't* matter what the last two bytes in this case are, as it > > doesn't matter to any of the other routing protocols. > > I cannot reproduce this. On a 4.4-PREPRELEASE system, > > vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any > 01000 count ip from 192.168.0.0/16 to any > vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any > 01001 count ip from 192.168.0.0/16 to any > vegeta# ipfw sh > 01000 12 1268 count ip from 192.168.0.0/16 to any > 01001 12 1268 count ip from 192.168.0.0/16 to any > 65000 17743 4318556 allow ip from any to any > 65535 0 0 deny ip from any to any > > The host bits are automatically zeroed in my first ipfw(8) > command. What version is the original poster using? What do the rules > look like when he does a 'show?' This might not be his problem at > all. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE60PPXUsQnZSFUcy9h00001a2b>