From owner-freebsd-questions@FreeBSD.ORG Mon Apr 5 10:58:29 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD5E1106566C for ; Mon, 5 Apr 2010 10:58:29 +0000 (UTC) (envelope-from carmel_ny@hotmail.com) Received: from blu0-omc4-s35.blu0.hotmail.com (blu0-omc4-s35.blu0.hotmail.com [65.55.111.174]) by mx1.freebsd.org (Postfix) with ESMTP id 80BE48FC08 for ; Mon, 5 Apr 2010 10:58:29 +0000 (UTC) Received: from BLU0-SMTP87 ([65.55.111.137]) by blu0-omc4-s35.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 5 Apr 2010 03:58:28 -0700 X-Originating-IP: [67.189.160.65] X-Originating-Email: [carmel_ny@hotmail.com] Message-ID: Received: from scorpio.seibercom.net ([67.189.160.65]) by BLU0-SMTP87.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 5 Apr 2010 03:58:21 -0700 Received: from scorpio.seibercom.net (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: carmel_ny@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id C065122839 for ; Mon, 5 Apr 2010 06:58:26 -0400 (EDT) Date: Mon, 5 Apr 2010 06:58:26 -0400 From: Carmel NY To: freebsd-questions@freebsd.org In-Reply-To: <201004050011.o350BgqF015947@mail.r-bonomi.com> References: <201004050011.o350BgqF015947@mail.r-bonomi.com> Organization: seibercom.net X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; i386-portbld-freebsd7.3) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 05 Apr 2010 10:58:21.0875 (UTC) FILETIME=[E8364830:01CAD4AE] Subject: Re: Configuring IPFW IP range [FreeBSD-questions] {offlist} X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 10:58:30 -0000 On Sun, 4 Apr 2010 19:11:42 -0500 (CDT), Robert Bonomi articulated: > > From owner-freebsd-questions@freebsd.org Sun Apr 4 08:12:11 2010 > > Date: Sun, 4 Apr 2010 09:11:47 -0400 > > From: Carmel NY > > To: freebsd-questions@freebsd.org > > Subject: Configuring IPFW IP range > > > > This is my first attempt at configuring IPFW. I have it up and > > running; however, I am not quite sure how to accomplish configuring > > it to block an IP range. > > > > Assume an IP range: 219.128.0.0 to 219.137.255.255 > > > > That is an actual range: CHINANET Guangdong province network > > > > I want to block the entire range. I am not sure how to do it in > > IPFW. I have read the 'man' pages; however, I am not getting the > > syntax correct since I cannot get the range added. > > > > CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a > 'power of two' in size, and (c) be no larger than the 'power of 2' > factor for the starting address. This range is _not_ that way [fails > (b)], so you'll have to do it with multiple entries. > > i.e., one for "219.128.0.0/13" which will catch 219.128.0.0 - > 219.135.255.255 and a 2nd for "219.136.0.0/15" which will catch > 219.136.0.0 - 219.137.255.255 > > Life can get messier, when rule 3 comes into play, consider the block > 219.130.0.0 to 219.139.255.255 > > 219.130.0.0 is on a /15 boundary, so that's the max block size you > can use for tht starting address. > 219.130.0.0/15 catches 219.130.0.0 - 219.131.255.255 > next, you can start with 219.132.0.0, which is a /14, and block a /14 > wth 219.132.0.0/14 catches 219.132.0.0 - 219.135.255.255 > now, 219.136.0.0 is a /13 so you could block that big with just more > rule, if needed, (BUT, you only need another /14, to cover the > remainder of the group of 10 /16s that the initial block includes. > thus, lastly: 219.136.0.0/14 catches 219.136.0.0 - 219.139.255.255 Thanks! It was suggested that I try 'ipcalc' by another poster. I did, and it works excellently. In any case, I do have to familiarize myself more fully with IP addressing.