Date: Wed, 9 Mar 2005 10:27:14 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: Darek Milewski <darek@nyi.net> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw IP ranges Message-ID: <20050309162714.GJ37452@dan.emsphone.com> In-Reply-To: <422F213F.7000407@nyi.net> References: <422F213F.7000407@nyi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Mar 09), Darek Milewski said:
> trying to specify IP ranges in ipfw. The man page is pretty brief in
> this respect, but I understand that I should be able to specify
>
> allow tcp from any to 1.2.3.0/25{14-24} 3389
>
> which should apply the rule to IP block of 1.2.3.14 through 1.2.3.24.
> However, I was just closing down 1.2.3.127 and noticed that a port
> that was closed was accessible. Turns out the rule above was
> matching traffic going to 1.2.3.127:3389.
>
> When running 'ipfw show' the allow from above is listed as
>
> allow tcp from any to 1.2.3.0/25 3389
Works for me on 5.3:
# ipfw add 400 allow tcp from any to "1.2.3.0/25{14-24}" 3389
00400 allow tcp from any to 1.2.3.0/25{14-24} dst-port 3389
# ipfw show
00400 0 0 allow tcp from any to 1.2.3.0/25{14-24} dst-port 3389
> So it looks like my original syntax enabled the rule for the whole /25
> subnet. Am I doing this wrong? If so, how can I specify ranges
> explicitly, meaning not using smaller subnets. IE: 1.2.3.14-27 instead
> of 1.2.3.14/28, which would not be very precise of a match. Perhaps I
> should be using /24 istead of /25?
Yes; the ipfw manpage has this example:
As an example, an address specified as 1.2.3.4/24{128,35-55,89}
will match the following IP addresses:
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
Although I think a much better syntax would be 1.2.3.{128,35-55,89}.
--
Dan Nelson
dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050309162714.GJ37452>