Date: Tue, 5 Oct 1999 16:15:22 -0500 From: Dan Nelson <dnelson@emsphone.com> To: Jenkins.Mike@epamail.epa.gov Cc: ru@ucb.crimea.ua, questions@FreeBSD.ORG Subject: Re: ipfw and ports > 1023? Message-ID: <19991005161522.A99545@dan.emsphone.com> In-Reply-To: <85256801.006877BD.00@EPAHUB2.RTP.EPA.GOV> References: <85256801.006877BD.00@EPAHUB2.RTP.EPA.GOV>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Oct 05), Jenkins.Mike@epamail.epa.gov said: > >> How do you say "ports > 1023" in ipfw? I see the port-port syntax > >> but that is for a limited range of ports. > > Dan Nelson replied: > >port 1024-65535 > > Ruslan Ermilov replied with ipfw(8) and: > >So, we say "1024-". > > My second sentence in the original post hinted about this but ... In > the ipfw(8) manual page it says: > > "A range may only be specified as the first value, and the length > of the port list is limited to IP_FW_MAX_PORTS (as defined in > /usr/src/sys/netinet/ip_fw.h) ports." > > IP_FW_MAX_PORTS is 10 so the maximum number of ports listed is 10. So > 20-29 would be ok (and so would 20-24,50,60,70,80,90) but 1024-65535 > is NOT ok and probably results in 1024-1033. I think the intent is > to allow a small number of ports on a single rule rather than having > multiple rules. Eg: The ports are stored internally as an array of 10 numbers; if the IP_FW_F_SRNG flag is set for the rule, the first two ports in the array are interpreted as a range. So you can have a range and it can be as wide as you like, but it must be specified first in the port list, and you can only have one range per rule. -- Dan Nelson dnelson@emsphone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991005161522.A99545>