From owner-freebsd-questions@FreeBSD.ORG Wed May 2 20:38:30 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BF2E316A406 for ; Wed, 2 May 2007 20:38:30 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id 6314613C45D for ; Wed, 2 May 2007 20:38:30 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 37259 invoked by uid 1002); 2 May 2007 20:38:29 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.107.100):. Processed in 6.30518 secs); 02 May 2007 20:38:29 -0000 Received: from unknown (HELO ?192.168.1.210?) (steve@ibctech.ca@208.70.107.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 May 2007 20:38:23 -0000 Message-ID: <4638F6C1.4010105@ibctech.ca> Date: Wed, 02 May 2007 16:38:25 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Tun Eler References: <20070502202911.01FDD7AEB8@ws5-10.us4.outblaze.com> In-Reply-To: <20070502202911.01FDD7AEB8@ws5-10.us4.outblaze.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: IP FILTER and network address X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2007 20:38:30 -0000 Tun Eler wrote: > Hi all, > i want to have these two rules in the ipf.rules file > > pass in quick on $oif proto tcp from 217.83.122.17/8 to $myip port = 22 flags S keep state > pass in quick on $oif proto tcp from 217.83.89.61/8 to $myip port = 22 flags S keep state > > where $iof is my interface. Executing the config file i get the following error > > ioctl(add/insert rule): File exists > > Which means the rule is being loaded twice. But the networka addresses above are > different!!! If i comment any of the above two lines, ipf executes fine. > Any idea how to solve this error, and allow only these two networks above? > Thanks in advance ... Appending your IP with /8 ends you up with two rules that essentially look like this (AFAIK): pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.0.0.0/8 to $myip port = 22 flags S keep state Perhaps you want to filter the IP's only, like: pass in quick on $oif proto tcp from 217.83.122.17/32 to $myip port = 22 flags S keep state pass in quick on $oif proto tcp from 217.83.89.61/32 to $myip port = 22 flags S keep state Regards, Steve