Date: Tue, 2 Dec 2003 15:52:23 -0500 From: "Kerry B. Rogers" <kbrogers@tinkertoys.net> To: <freebsd-bugs@freebsd.org> Subject: hosts.allow not always working... misses some IPs Message-ID: <006701c3b916$39a1f400$0400a8c0@internalprocess>
next in thread | raw e-mail | index | archive | help
>>Kerry B. Rogers wrote:
>>>>[...]
>>>>I think the netmask is wrong. When you apply the third octet of the
>>>>netmask (251) to the IP address (220) the result will be 216, which =
is
>>>>then compared with 220. Since the numbers differ the rule doesn't
>>>>apply, which is to be expected.
>>>>
>>>>Are you sure that the netmask's third octet shouldn't have been 254, =
252
>>>>or 248 instead for proper masking, depending on the range of =
addresses
>>>>you'd like to cover?
>>>=20
>>> Uwe... how did you come up with netmask 251 applied to 220 equals =
216? I'm
>>> confused about how one
>>> would determine the proper netmask. I think my formula is wrong and =
would
>>> like to get it right. I'm trying to convert the ARIN data line:
>>>=20
>>> arin|CA|ipv4|199.185.220.0|1280|19940222|assigned
>>>=20
>>> to a hosts.allow line and come up with:
>>>=20
>>> smtp : 199.185.220.0/255.255.251.0 : deny
>>>=20
>>> using the formula:
>>>=20
>>> MaskFromIPRange =3D =
DoubleToIPAddress(IPAddressToDouble("255.255.255.255") -
>>> (IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP)))
>>>=20
>>> or, translated symbolically:
>>>=20
>>> Mask =3D 255.255.255.255 - 199.185.224.255 - 199.185.220.0
>>>=20
>>> which (mathematically) is:
>>>=20
>>> Mask =3D 4294967295 - 3350847743 - 3350846464
>>>=20
>>> I guess using 255.255.255.255 and subtracting the difference of the =
IP range
>>> is not the proper way to arrive at a netmask. What is? Anyone?
>>
>>Netmasks are supposed to be calculated bit-wise, not by subtraction, =
and=20
>>they can cover only address ranges that are a power of two. So you =
need=20
>>two ranges in your case: the first 1024 addresses and the remaining =
256=20
>>(adds up to 1280). In C syntax the formular for the netmask would be:
>>
>> netmask =3D ^(number_of_addresses - 1);
>>
>>This results in
>>
>> smtp : 199.185.220.0/255.255.252.0 199.185.224.0/255.255.255.0 : =
deny
>>
>>If you don't have a calculator with a binary mode you can easily do =
this=20
>>bit by bit on a piece of paper. First write down 1023 (1024 - 1) in=20
>>binary form (all 32 bits representing an IPv4 address), then invert =
the=20
>>bits, and finally convert them back into a decimal number. Do the =
same=20
>>for the second range (256 - 1), and adapt the base address for this=20
>>range accordingly.
>>
>>Hope this explanation was clear enough.
>>
>> Uwe
Uwe, thanks so very much for helping me out here. If I have you correct, =
then the following would be correct, right?:
arin|US|ipv4|24.30.0.0|24576|0|allocated
smtp : 24.30.0.0/255.255.192.0 24.30.64.0/255.255.224.0 : deny
Thanks,
Kerry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006701c3b916$39a1f400$0400a8c0>