From owner-freebsd-bugs@FreeBSD.ORG Mon Dec 1 22:48:17 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A31CF16A4CE for ; Mon, 1 Dec 2003 22:48:17 -0800 (PST) Received: from tinkertoys.net (tinkertoys.net [161.58.152.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 873A943FD7 for ; Mon, 1 Dec 2003 22:48:16 -0800 (PST) (envelope-from kbrogers@tinkertoys.net) Received: from internalprocess (eep.burdell.org [216.27.160.200] (may be forged)) by tinkertoys.net (8.12.10/8.11.6) with SMTP id hB26mFux019152 for ; Mon, 1 Dec 2003 23:48:15 -0700 (MST) Message-ID: <000d01c3b8a0$40a35530$0400a8c0@internalprocess> From: "Kerry B. Rogers" To: Date: Tue, 2 Dec 2003 01:48:03 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: hosts.allow not always working... misses some IPs X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 06:48:17 -0000 > > Kerry B. Rogers wrote: > > Dear Whomever, > > > > I received an e-mail with the following header fragment: > > > > ====== cut here ======= > > Received: from priv-edtnes11-hme0.telusplanet.net (outbound03.telus.net > > [199.185.220.222]) > > by tinkertoys.net (8.12.10/8.11.6) with ESMTP id hANMNpKS021237; > > Sun, 23 Nov 2003 15:23:51 -0700 (MST) > > > > ====== cut here ======= > > > > In my hosts.allow file (which usually rejects domains just fine) I have: > > > > ====== cut here ======= > > smtp : 199.185.220.0/255.255.251.0 : deny > > ====== cut here ======= > > > > The above listed e-mail should have been rejected but it wasn't. Is this a > > bug? Is a 975K host.allow file creating this problem? Please help... > > I think the netmask is wrong. When you apply the third octet of the > netmask (251) to the IP address (220) the result will be 216, which is > then compared with 220. Since the numbers differ the rule doesn't > apply, which is to be expected. > > Are you sure that the netmask's third octet shouldn't have been 254, 252 > or 248 instead for proper masking, depending on the range of addresses > you'd like to cover? > > Uwe Uwe... how did you come up with netmask 251 applied to 220 equals 216? I'm confused about how one would determine the proper netmask. I think my formula is wrong and would like to get it right. I'm trying to convert the ARIN data line: arin|CA|ipv4|199.185.220.0|1280|19940222|assigned to a hosts.allow line and come up with: smtp : 199.185.220.0/255.255.251.0 : deny using the formula: MaskFromIPRange = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") - (IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP))) or, translated symbolically: Mask = 255.255.255.255 - 199.185.224.255 - 199.185.220.0 which (mathematically) is: Mask = 4294967295 - 3350847743 - 3350846464 I guess using 255.255.255.255 and subtracting the difference of the IP range is not the proper way to arrive at a netmask. What is? Anyone? Thanks, Kerry