Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Aug 2016 15:14:25 +0200
From:      Willem Jan Withagen <wjw@digiware.nl>
To:        Julian Elischer <julian@freebsd.org>, "Dr. Rolf Jansen" <rj@obsigna.com>,  freebsd-ipfw@freebsd.org
Subject:   Re: ipfw divert filter for IPv4 geo-blocking
Message-ID:  <2e7d84c7-e962-e131-b788-81a6489b9f95@digiware.nl>
In-Reply-To: <d312fa79-ae83-6054-3ef0-18631c40227e@freebsd.org>
References:  <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <c2cd797d-66db-8673-af4e-552dfa916a76@freebsd.org> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <C0CC7001-16FE-40BF-A96A-1FA51A0AFBA7@obsigna.com> <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> <CAFPNf59w6BHgDjLNHW=rQckZAFG4gqPHL49vLXiDmMAxVPOcKg@mail.gmail.com> <1E1DB7E0-D354-4D7A-B657-0ECF94C12CE0@obsigna.com> <50d405a4-3f8f-a706-9cac-d1162925e56a@freebsd.org> <c62fa048-63c8-aef6-5bad-b0a6719f6acb@freebsd.org> <9222BB10-C700-4DE7-83A3-BE7A38A11713@obsigna.com> <1B36CAD7-A139-436B-B7EC-0FFF232F9C6A@obsigna.com> <d312fa79-ae83-6054-3ef0-18631c40227e@freebsd.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 1-8-2016 07:22, Julian Elischer wrote:
> On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote:
>>
>> I am still a little bit amazed how ipfw come to accept incorrect CIDR
>> ranges and arbitrarily moves the start/end addresses in order to
>> achieve CIDR conformity, and that without any further notice, and that
>> given that ipfw can be considered as being quite relevant to system
>> security. Or, may I assume that ipfw knows always better than the user
>> what should be allowed or denied. Otherwise, perhaps I am the only one
>> ever who input incorrect CIDR ranges for processing by ipfw.
> it's not so amazing when you think about it. The code comes from the
> routing table..
> 
> In this context  a.b.c.d/N means "the range of addresses containing
> a.b.c.d, masked to a length of N".  there is no specification that
> a.b.c.d is the first address of the range.  I have relied upon this
> behaviour many times.

I happily agree with Julian....
Rarely have I given the exact address of a router and it's net much thought.
And apply happily a.b.c.27/26 in ipfw, assuming that ipfw would figure
out what the actual network part of the address was.

--WjW





Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?2e7d84c7-e962-e131-b788-81a6489b9f95>