From owner-freebsd-questions@FreeBSD.ORG  Tue May 13 02:32:30 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1419A106564A
	for <freebsd-questions@freebsd.org>;
	Tue, 13 May 2008 02:32:30 +0000 (UTC)
	(envelope-from budiyt@gmail.com)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.233])
	by mx1.freebsd.org (Postfix) with ESMTP id D9A1A8FC23
	for <freebsd-questions@freebsd.org>;
	Tue, 13 May 2008 02:32:29 +0000 (UTC)
	(envelope-from budiyt@gmail.com)
Received: by rv-out-0506.google.com with SMTP id b25so3987529rvf.43
	for <freebsd-questions@freebsd.org>;
	Mon, 12 May 2008 19:32:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	bh=lyeoAG5jLdeDcltsTeFLM6OexaHrRNV3u52JAdT+yZQ=;
	b=Z9rg1BVv6p/C7Mo1TlDnks/gnbGmlkdRNOFP+2wIu4Lx6zeNaDUreDRu0VCCjc+Miq0FrxIaKrU6kfsVBP5Y9Jm/ieenNIe5wYHcUCejV3M3AuG/O6jrFVXOlSqOSJYak+plA4/9PNP4brs/w8Ki4Exfc2/Oko94eu7AZ6y38z4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=qPKczQ+ETT6C+saBQpbfqs1fnZUjR4H/i2iH2R2BgorvlduaOTp0MFL8TRjCC41O1PvGxTwmy6GEFVQKfTirUGPAPy5pBGeKTdBbJNrgshvlVKjkOkZ8usHGO4d5N6I10FI+kI5LdSPdVfiaRvX4UegEVv7xJVci53FeH/9afIs=
Received: by 10.141.142.15 with SMTP id u15mr4001529rvn.238.1210644261604;
	Mon, 12 May 2008 19:04:21 -0700 (PDT)
Received: by 10.140.140.14 with HTTP; Mon, 12 May 2008 19:04:21 -0700 (PDT)
Message-ID: <4d4dc3640805121904i7fd5da1bl1af6f41830889942@mail.gmail.com>
Date: Tue, 13 May 2008 09:04:21 +0700
From: budsz <budiyt@gmail.com>
To: freebsd-questions@freebsd.org
In-Reply-To: <4d4dc3640805061548v44e28b8aue4a683d263d878bf@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <4d4dc3640805040840t5725fb4ejfd19da3c3f78ec73@mail.gmail.com>
	<48201E0D.60803@yandex.ru>
	<4d4dc3640805061548v44e28b8aue4a683d263d878bf@mail.gmail.com>
Subject: Re: Syntax base IP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2008 02:32:30 -0000

On Tue, May 6, 2008 at 3:59 PM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote:

> budsz wrote:
 >
 > >
 > > ipunlimit="192.168.0.100/32,10.35.4.1/32,202.129.189.42/32,\
 > >           202.129.189.45/32,125.163.77.180/32,202.43.167.70/32,\
 > >
 > 202.43.167.72/32,202.43.161.119/32,202.10.32.10/32,202.93.20.22/32,\
 > >           202.93.20.23/32,202.93.20.24/32,122.102.49.132/32,\
 > >           202.43.161.124/32,202.93.247.26/32,202.93.247.28/32"
 > >
 > > ${fwcmd} add 100 pipe 1 ip from ${ippriviix} to { not ${ipunlimit} }
 > > ${portlim} via ${ifint0}
 > > ${fwcmd} add 101 pipe 1 ip from { not ${ipunlimit} } ${portlim} to
 > > ${ippriviix} via ${ifint0}
 > >
 > > Executing firewall I got error message like this:
 > > #sh /etc/rc.firewall
 > > ipfw: opcode 6 size 33 wrong
 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument
 > > ipfw: opcode 2 size 33 wrong
 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument
 > >
 >

 Hallo,

 I got some problem here, these are the example of the rules i've set:


 portlim="20-21,80,88,443,2009,8080,8088,10007,18755"
 bwunlimit="64Kbit/s"


 ${fwcmd} pipe 1 config bw ${bwunlimit}

 ${fwcmd} table 1 add 10.35.4.1/32 1
 ${fwcmd} table 1 add 122.102.49.132/32 1
 ${fwcmd} table 1 add 125.163.77.180/32 1
 ${fwcmd} table 1 add 192.168.0.100/32 1
 ${fwcmd} table 1 add 202.10.32.10/32 1
 ${fwcmd} table 1 add 202.129.189.42/32 1
 ${fwcmd} table 1 add 202.129.189.45/32 1
 ${fwcmd} table 1 add 202.43.161.119/32 1
 ${fwcmd} table 1 add 202.43.161.124/32 1
 ${fwcmd} table 1 add 202.43.167.70/32 1
 ${fwcmd} table 1 add 202.43.167.72/32 1
 ${fwcmd} table 1 add 202.93.20.22/32 1
 ${fwcmd} table 1 add 202.93.20.23/32 1
 ${fwcmd} table 1 add 202.93.20.24/32 1
 ${fwcmd} table 1 add 202.93.247.26/32 1
 ${fwcmd} table 1 add 202.93.247.28/32 1

 ${fwcmd} add 100 pipe tablearg ip from ${ippriviix} to not "table(1)"
 ${portlim} via ${ifint0}
 ${fwcmd} add 101 pipe tablearg ip from not "table(1)" ${portlim} to
 ${ippriviix} via ${ifint0}

 As a result, those ip addresses can pass. But any other ip adresses
 (other than) those above could not be accessed, as if it were blocked.
 My intention is to limit (NOT blocking) any other ip addresses (other
 than) those ip's above. How could i use the 'not' keyword for above
 case ?

 Thank You

 --
 budsz