Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 12 Nov 2002 14:40:01 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw matching
Message-ID:  <20021112144001.GF16105@happy-idiot-talk.infracaninophi>
In-Reply-To: <200211121238.GACCC2S56488@asarian-host.net>
References:  <200211121238.GACCC2S56488@asarian-host.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Nov 12, 2002 at 01:37:57PM +0100, Mark wrote:
> I have a quick question on the way ipfw matches IP masks. If I give this IP
> address:
> 
>     12.144.51.128/17

That's not entirely correct: 12.144.51.128 is in the middle of a /17
netblock.  
		 Address  
Network:   	12.144.0.0
Sample Address:	12.144.51.128
Broadcast:   	12.144.127.255
Host Addresses:	32766    
Netmask: 	/17 255.255.128.0

Perhaps you meant 12.144.51.128/27:

		Address
Network:	12.144.51.128
Sample Address:	12.144.51.128
Broadcast:	12.144.51.159
Host Addresses:	30    
Netmask:	/27 255.255.255.224 

> Am I then correct in thinking it will match all IP addresses from
> 12.144.51.128 to 12.144.51.255? Or will it start matching from 12.144.51.0?
> (not what I want).

Nope. Wrong on all counts I'm afraid.  To match addresses from
12.144.51.128 to 12.144.51.255 you want:

   12.144.51.128/25
 
> Now for the harder question (I guess there is a second question, after all).
> If I want to match from 12.51.0 to 12.51.15 (and all their hosts
> underneath), would I write this:
> 
>     12.51.0.0:255.255.240.255 ?

I don't think it's really defined what will happen if you use a
netmask that doesn't consist of a leading block of '1's followed by a
block of '0's --- as far as I remember, the networking standards don't
actually outlaw such a thing, but all common practice and probably
common sense says otherwise.

Quite what IPFW would make of such a construct is something you'll
have to find out by experiment.

> I really wanna crack down on some spammers, but not waste too many ipfw
> rules on it.

Closest I can get is:

    12.51.0.0/20

which will block addresses from 12.51.0.0 to 12.51.15.255 inclusive.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021112144001.GF16105>