From owner-freebsd-questions@FreeBSD.ORG Sun Apr 4 17:04:16 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E3D71065670 for ; Sun, 4 Apr 2010 17:04:16 +0000 (UTC) (envelope-from carmel_ny@hotmail.com) Received: from blu0-omc4-s26.blu0.hotmail.com (blu0-omc4-s26.blu0.hotmail.com [65.55.111.165]) by mx1.freebsd.org (Postfix) with ESMTP id 0FD528FC14 for ; Sun, 4 Apr 2010 17:04:15 +0000 (UTC) Received: from BLU0-SMTP88 ([65.55.111.136]) by blu0-omc4-s26.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 4 Apr 2010 10:04:15 -0700 X-Originating-IP: [67.189.160.65] X-Originating-Email: [carmel_ny@hotmail.com] Message-ID: Received: from scorpio.seibercom.net ([67.189.160.65]) by BLU0-SMTP88.blu0.hotmail.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Sun, 4 Apr 2010 10:04:14 -0700 Received: from scorpio.seibercom.net (localhost [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: carmel_ny@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 3988A2282C for ; Sun, 4 Apr 2010 13:04:13 -0400 (EDT) Date: Sun, 4 Apr 2010 13:04:12 -0400 From: Carmel NY To: freebsd-questions@freebsd.org In-Reply-To: <4BB8AA05.3010506@cpufight.com> References: <4BB8AA05.3010506@cpufight.com> Organization: seibercom.net X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; i386-portbld-freebsd7.3) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAGFBMVEX+/v7++v6YOTrq8PCcuIX989UvOSj++v0BNCbpAAAAB3RJTUUHsQwfFzs7RBhzUQAAAhJJREFUOI1dU8GOqzAMNKIoV1bvwD1i0ysqrHplIdBrVSX7ATSbd03VVvn9tQNtQy0hjAdn7LED4AAcPtWm9RV+MPSfxhBLx9ajd6X/ngB6/mTwnRSZua7i7Ca+0ctZKo4Qmz+JY13X6I3nFZBxIYW1PbgfQ5RP8g0XlltEWGf3cV03joYpRnFbvYDKbXjZlXyyhEZA4lI+cN3NaVXE4VKjSwTExO10eTEkkJVqIAD5z0nUBQJluQDRSQjcrBiHAJxZlAH5CUMBMC7OcJ4LMQNnxhZ1HYPscMc6J4UlWRMNwzOpCcAHKSICd1EDn83abdREIbXsHkD1OinP1aCUCOEVRaa1lMcvywUWdYgk13JQUpYNKmvXQ8Kw5ML9YI5h8SakctBc7E/IYuLhYd/zZIk+1gM1vNweQBvHE0j+oYah3sMqAytQYlZk6+ANaaawJdu3OFzYGMZ3iGpa3qMlq9ZH0VZTgrCtw/ngdYkEIIpSbP1bWQAdFdX9vocBdkH2qVjVmuMu3gI5rjs814EUdrCZgWlPaxZZ3RiLFUtr+ud0PXwp2dnQSNXgePt6AZpBj6UMJ7VQkzN4utVeaSW1Dhn/kblGrKeMvNGnzwX4zuEDarYz1KdPtR60Gul0Gued+515SJXhCsl+Tx/3kY/UDvicPll9mfu50t3tvQ/thZpJYgeuwdSKNJ6tCD98MCgoxLDaPxbwqqwPWaWiAAAAAElFTkSuQmCC X-Face: "\j?x](l|]4p?-1Bf@!wN<&p=$.}^k-HgL}cJKbQZ3r#Ar]\%U(#6}'?<3s7%(%(gxJxxcR Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 04 Apr 2010 17:04:14.0555 (UTC) FILETIME=[DA9DAAB0:01CAD418] Subject: Re: Configuring IPFW IP range X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2010 17:04:16 -0000 On Sun, 04 Apr 2010 11:02:29 -0400, Ashley articulated: > On 04/04/2010 09:11 AM, Carmel NY wrote: > > This is my first attempt at configuring IPFW. I have it up and > > running; however, I am not quite sure how to accomplish configuring > > it to block an IP range. > > > > Assume an IP range: 219.128.0.0 to 219.137.255.255 > > > > That is an actual range: CHINANET Guangdong province network > > > > I want to block the entire range. I am not sure how to do it in > > IPFW. I have read the 'man' pages; however, I am not getting the > > syntax correct since I cannot get the range added. > Carmel, > > Have you tried something like what's mentioned in this excerpt quoted > below?: > > Network-based filtering works similarly, and the network > notation there utilizes either bitmasks or netmasks, for instance: > > add 2000 allow all from 192.168.0.0/16 to any > add 2100 deny all from any to 10.0.0.0:255.0.0.0 > > The first rule allows all traffic from the network whose IP range > is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A > bitmask specifies how many bits from the network address (192.168.0.0) > should remain the same for matching packets. In this instance, the > first 16 bits out of the 32 bit address will remain the same, and as > the first 16 bits happen to be the first two octets, 192.168, all > addresses whose source addresses have the first two octets as 192.168 > will be matched by this rule. The second rule accomplishes a similar > thing using netmasks. The netmask indicate how many bits from the > indicated network address should be used for rule matching. In the > above example, for rule two, the netmask is 255.0.0.0. Its first > octet is set with high bits; in other words, the first 8 bits are set > high. This indicates to ipfw(8) that only packets with the first 8 > bits of the network address (10.0.0.0) should be matched. As the > first 8 bits of the network address equal 10, then all packets whose > destination address have a 10 for the first octet (all addresses > between 10.0.0.0 and 10.255.255.255) will be matched by this rule, > and then dropped, as indicated by the action. > > > (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO) Thanks Maciej Suszko and Ashley. I used the ipcalc tool. I thought I had seen something like that before; however, I was not able to recall the name of the utility. I really have to study up on IPs and networking. -- Carmel carmel_ny@hotmail.com |::::======= |::::======= |=========== |=========== | BACHELOR: A man who chases women and never Mrs. one.