Date: Thu, 9 May 2002 15:43:40 -0700 From: Derrick John Klise <derrick@lumiere.net> To: Naughty Taz <naughty_taz@hotmail.com> Cc: security@freebsd.org Subject: Re: IPFW and IP/mask mathematics Message-ID: <20020509154340.A8964@leaf.lumiere.net> In-Reply-To: <004d01c1f7ae$e752ad90$626a003e@homepc>; from naughty_taz@hotmail.com on Fri, May 10, 2002 at 01:11:51AM %2B0200 References: <200205091557.13783.dowen@pstis.com> <004d01c1f7ae$e752ad90$626a003e@homepc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 10, 2002 at 01:11:51AM +0200, Naughty Taz wrote: > Hehehehe :) > > That was not my intention of course. Observe: > > 1) allow traffic from ANY to IP's in the range (0.0.0.0 - XXX.128.0.0) > 2) block traffic from ANY to IP's in the range (XXX.128.0.0 - > XXX.146.159.255) > 3) allow traffic from ANY to IP's in the range (XXX.146.160.0 - > 255.255.255.255) > > Is it more clear now? > > /Taz > Well, first try here to find the subnet numberings of the ranges that you want: http://www.telusplanet.net/public/sparkman/netcalc.htm I think they also have a more detailed explanation of the dotted decimal versus the number of bits (a.b.c.d/e) somewhere on the related pages if you're interested. Anywho, then take the resulting mask (a.b.c.d/e) and just write the rules as you normally would: ipfw add deny tcp from 1.2.3.0/24 to any The above would deny tcp from 1.2.3.0 through 1.2.3.255 to any. -- Derrick John Klise <derrick@lumiere.net> "I went into a general store, and they wouldn't sell me anything specific". -- Steven Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020509154340.A8964>