From owner-freebsd-bugs@FreeBSD.ORG Tue Dec 2 00:04:54 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D9EA16A4CE for ; Tue, 2 Dec 2003 00:04:54 -0800 (PST) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7DDB43FBF for ; Tue, 2 Dec 2003 00:04:50 -0800 (PST) (envelope-from gemini@geminix.org) Message-ID: <3FCC479F.4030609@geminix.org> Date: Tue, 02 Dec 2003 09:04:47 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031019 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-bugs@freebsd.org References: <000d01c3b8a0$40a35530$0400a8c0@internalprocess> In-Reply-To: <000d01c3b8a0$40a35530$0400a8c0@internalprocess> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 1AR5Wb-0008zN-00; Tue, 02 Dec 2003 09:04:49 +0100 Subject: Re: hosts.allow not always working... misses some IPs X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 08:04:54 -0000 Kerry B. Rogers wrote: >>[...] >>I think the netmask is wrong. When you apply the third octet of the >>netmask (251) to the IP address (220) the result will be 216, which is >>then compared with 220. Since the numbers differ the rule doesn't >>apply, which is to be expected. >> >>Are you sure that the netmask's third octet shouldn't have been 254, 252 >>or 248 instead for proper masking, depending on the range of addresses >>you'd like to cover? > > Uwe... how did you come up with netmask 251 applied to 220 equals 216? I'm > confused about how one > would determine the proper netmask. I think my formula is wrong and would > like to get it right. I'm trying to convert the ARIN data line: > > arin|CA|ipv4|199.185.220.0|1280|19940222|assigned > > to a hosts.allow line and come up with: > > smtp : 199.185.220.0/255.255.251.0 : deny > > using the formula: > > MaskFromIPRange = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") - > (IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP))) > > or, translated symbolically: > > Mask = 255.255.255.255 - 199.185.224.255 - 199.185.220.0 > > which (mathematically) is: > > Mask = 4294967295 - 3350847743 - 3350846464 > > I guess using 255.255.255.255 and subtracting the difference of the IP range > is not the proper way to arrive at a netmask. What is? Anyone? Netmasks are supposed to be calculated bit-wise, not by subtraction, and they can cover only address ranges that are a power of two. So you need two ranges in your case: the first 1024 addresses and the remaining 256 (adds up to 1280). In C syntax the formular for the netmask would be: netmask = ^(number_of_addresses - 1); This results in smtp : 199.185.220.0/255.255.252.0 199.185.224.0/255.255.255.0 : deny If you don't have a calculator with a binary mode you can easily do this bit by bit on a piece of paper. First write down 1023 (1024 - 1) in binary form (all 32 bits representing an IPv4 address), then invert the bits, and finally convert them back into a decimal number. Do the same for the second range (256 - 1), and adapt the base address for this range accordingly. Hope this explanation was clear enough. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net