From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 00:11:55 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F30BF106564A for ; Mon, 5 Apr 2010 00:11:55 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (ns2.r-bonomi.com [204.87.227.129]) by mx1.freebsd.org (Postfix) with ESMTP id C70808FC0A for ; Mon, 5 Apr 2010 00:11:55 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.3/rdb1) id o350BgqF015947 for freebsd-questions@freebsd.org; Sun, 4 Apr 2010 19:11:42 -0500 (CDT) Date: Sun, 4 Apr 2010 19:11:42 -0500 (CDT) From: Robert Bonomi Message-Id: <201004050011.o350BgqF015947@mail.r-bonomi.com> To: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW IP range [FreeBSD-questions] {offlist} X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 00:11:56 -0000 > From owner-freebsd-questions@freebsd.org Sun Apr 4 08:12:11 2010 > Date: Sun, 4 Apr 2010 09:11:47 -0400 > From: Carmel NY > To: freebsd-questions@freebsd.org > Subject: Configuring IPFW IP range > > This is my first attempt at configuring IPFW. I have it up and running; > however, I am not quite sure how to accomplish configuring it to block > an IP range. > > Assume an IP range: 219.128.0.0 to 219.137.255.255 > > That is an actual range: CHINANET Guangdong province network > > I want to block the entire range. I am not sure how to do it in IPFW. I > have read the 'man' pages; however, I am not getting the syntax correct > since I cannot get the range added. > CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a 'power of two' in size, and (c) be no larger than the 'power of 2' factor for the starting address. This range is _not_ that way [fails (b)], so you'll have to do it with multiple entries. i.e., one for "219.128.0.0/13" which will catch 219.128.0.0 - 219.135.255.255 and a 2nd for "219.136.0.0/15" which will catch 219.136.0.0 - 219.137.255.255 Life can get messier, when rule 3 comes into play, consider the block 219.130.0.0 to 219.139.255.255 219.130.0.0 is on a /15 boundary, so that's the max block size you can use for tht starting address. 219.130.0.0/15 catches 219.130.0.0 - 219.131.255.255 next, you can start with 219.132.0.0, which is a /14, and block a /14 wth 219.132.0.0/14 catches 219.132.0.0 - 219.135.255.255 now, 219.136.0.0 is a /13 so you could block that big with just more rule, if needed, (BUT, you only need another /14, to cover the remainder of the group of 10 /16s that the initial block includes. thus, lastly: 219.136.0.0/14 catches 219.136.0.0 - 219.139.255.255 This should help you get the syntax right.