Date: Sun, 4 Apr 2010 13:04:12 -0400 From: Carmel NY <carmel_ny@hotmail.com> To: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW IP range Message-ID: <BLU0-SMTP8874335C9F9C6C17180BA0931A0@phx.gbl> In-Reply-To: <4BB8AA05.3010506@cpufight.com> References: <BLU0-SMTP98F509F01B77C70EA14F82931A0@phx.gbl> <4BB8AA05.3010506@cpufight.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 04 Apr 2010 11:02:29 -0400, Ashley <ashley@cpufight.com> articulated: > On 04/04/2010 09:11 AM, Carmel NY wrote: > > This is my first attempt at configuring IPFW. I have it up and > > running; however, I am not quite sure how to accomplish configuring > > it to block an IP range. > > > > Assume an IP range: 219.128.0.0 to 219.137.255.255 > > > > That is an actual range: CHINANET Guangdong province network > > > > I want to block the entire range. I am not sure how to do it in > > IPFW. I have read the 'man' pages; however, I am not getting the > > syntax correct since I cannot get the range added. > Carmel, > > Have you tried something like what's mentioned in this excerpt quoted > below?: > > Network-based filtering works similarly, and the network > notation there utilizes either bitmasks or netmasks, for instance: > > add 2000 allow all from 192.168.0.0/16 to any > add 2100 deny all from any to 10.0.0.0:255.0.0.0 > > The first rule allows all traffic from the network whose IP range > is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A > bitmask specifies how many bits from the network address (192.168.0.0) > should remain the same for matching packets. In this instance, the > first 16 bits out of the 32 bit address will remain the same, and as > the first 16 bits happen to be the first two octets, 192.168, all > addresses whose source addresses have the first two octets as 192.168 > will be matched by this rule. The second rule accomplishes a similar > thing using netmasks. The netmask indicate how many bits from the > indicated network address should be used for rule matching. In the > above example, for rule two, the netmask is 255.0.0.0. Its first > octet is set with high bits; in other words, the first 8 bits are set > high. This indicates to ipfw(8) that only packets with the first 8 > bits of the network address (10.0.0.0) should be matched. As the > first 8 bits of the network address equal 10, then all packets whose > destination address have a 10 for the first octet (all addresses > between 10.0.0.0 and 10.255.255.255) will be matched by this rule, > and then dropped, as indicated by the action. > > > (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO) Thanks Maciej Suszko and Ashley. I used the ipcalc tool. I thought I had seen something like that before; however, I was not able to recall the name of the utility. I really have to study up on IPs and networking. -- Carmel carmel_ny@hotmail.com |::::======= |::::======= |=========== |=========== | BACHELOR: A man who chases women and never Mrs. one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU0-SMTP8874335C9F9C6C17180BA0931A0>