Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Aug 2016 15:14:25 +0200
From:      Willem Jan Withagen <>
To:        Julian Elischer <>, "Dr. Rolf Jansen" <>,
Subject:   Re: ipfw divert filter for IPv4 geo-blocking
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 1-8-2016 07:22, Julian Elischer wrote:
> On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote:
>> I am still a little bit amazed how ipfw come to accept incorrect CIDR
>> ranges and arbitrarily moves the start/end addresses in order to
>> achieve CIDR conformity, and that without any further notice, and that
>> given that ipfw can be considered as being quite relevant to system
>> security. Or, may I assume that ipfw knows always better than the user
>> what should be allowed or denied. Otherwise, perhaps I am the only one
>> ever who input incorrect CIDR ranges for processing by ipfw.
> it's not so amazing when you think about it. The code comes from the
> routing table..
> In this context  a.b.c.d/N means "the range of addresses containing
> a.b.c.d, masked to a length of N".  there is no specification that
> a.b.c.d is the first address of the range.  I have relied upon this
> behaviour many times.

I happily agree with Julian....
Rarely have I given the exact address of a router and it's net much thought.
And apply happily a.b.c.27/26 in ipfw, assuming that ipfw would figure
out what the actual network part of the address was.


Want to link to this message? Use this URL: <>