From owner-freebsd-security  Mon Aug 13  6:57:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (gb.office1.bg [193.68.24.4])
	by hub.freebsd.org (Postfix) with SMTP id 7691E37B411
	for <freebsd-security@freebsd.org>; Mon, 13 Aug 2001 06:57:22 -0700 (PDT)
	(envelope-from roam@ringlet.net)
Received: (qmail 9561 invoked by uid 1000); 13 Aug 2001 13:56:04 -0000
Date: Mon, 13 Aug 2001 16:56:04 +0300
From: Peter Pentchev <roam@ringlet.net>
To: default - Subscriptions <default013subscriptions@hotmail.com>
Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org
Subject: Re: Easy IPFW question...
Message-ID: <20010813165603.B1119@ringworld.oblivion.bg>
Mail-Followup-To: default - Subscriptions <default013subscriptions@hotmail.com>,
	freebsd-security@freebsd.org, freebsd-questions@freebsd.org
References: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com>; from default013subscriptions@hotmail.com on Mon, Aug 13, 2001 at 02:12:29AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Aug 13, 2001 at 02:12:29AM -0500, default - Subscriptions wrote:
> Hi,
> 
> I'm kinda new to IPFW, and I was unable to figure this out by myself...
> 
> I want to block an I.P. range, say 192.168.0.1, with a netmask of
> 255.255.0.0 ...
> 
> The rule I tried was this:
> ipfw add deny log all from 192.168.0.1/16 to any via ed0

Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be
also zeroed in the address.  This is so because of the way the address/netmask
calculations are performed: when an address, say 192.168.5.12, is tested
against a 192.168.0.0/16 combination, a bitwise 'and' operation is performed
between the address to check (192.168.5.12) and the netmask (255.255.0.0).
Then, the result - 192.168.0.0 - is compared to the network address that
you have specified.  Since the 'and' operation clears the last 16 bits,
a network address of 192.168.0.1 cannot match anything - it has its
last bit set.

Try 192.168.0.0/16, it will probably work.  If it fails, try
192.168.0.0/255.255.0.0.

G'luck,
Peter

-- 
I am the meaning of this sentence.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message