From owner-freebsd-questions Tue Nov 12 6:40:18 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC48437B401 for ; Tue, 12 Nov 2002 06:40:16 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id F17A743E9C for ; Tue, 12 Nov 2002 06:40:14 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id gACEe760016887 for ; Tue, 12 Nov 2002 14:40:07 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id gACEe196016886 for freebsd-questions@FreeBSD.ORG; Tue, 12 Nov 2002 14:40:01 GMT Date: Tue, 12 Nov 2002 14:40:01 +0000 From: Matthew Seaman To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw matching Message-ID: <20021112144001.GF16105@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions@FreeBSD.ORG References: <200211121238.GACCC2S56488@asarian-host.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200211121238.GACCC2S56488@asarian-host.net> User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-3.3 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 12, 2002 at 01:37:57PM +0100, Mark wrote: > I have a quick question on the way ipfw matches IP masks. If I give this IP > address: > > 12.144.51.128/17 That's not entirely correct: 12.144.51.128 is in the middle of a /17 netblock. Address Network: 12.144.0.0 Sample Address: 12.144.51.128 Broadcast: 12.144.127.255 Host Addresses: 32766 Netmask: /17 255.255.128.0 Perhaps you meant 12.144.51.128/27: Address Network: 12.144.51.128 Sample Address: 12.144.51.128 Broadcast: 12.144.51.159 Host Addresses: 30 Netmask: /27 255.255.255.224 > Am I then correct in thinking it will match all IP addresses from > 12.144.51.128 to 12.144.51.255? Or will it start matching from 12.144.51.0? > (not what I want). Nope. Wrong on all counts I'm afraid. To match addresses from 12.144.51.128 to 12.144.51.255 you want: 12.144.51.128/25 > Now for the harder question (I guess there is a second question, after all). > If I want to match from 12.51.0 to 12.51.15 (and all their hosts > underneath), would I write this: > > 12.51.0.0:255.255.240.255 ? I don't think it's really defined what will happen if you use a netmask that doesn't consist of a leading block of '1's followed by a block of '0's --- as far as I remember, the networking standards don't actually outlaw such a thing, but all common practice and probably common sense says otherwise. Quite what IPFW would make of such a construct is something you'll have to find out by experiment. > I really wanna crack down on some spammers, but not waste too many ipfw > rules on it. Closest I can get is: 12.51.0.0/20 which will block addresses from 12.51.0.0 to 12.51.15.255 inclusive. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message