From owner-freebsd-questions@FreeBSD.ORG  Wed Feb  8 23:57:12 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0EBF216A420
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Feb 2006 23:57:12 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8047043D4C
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Feb 2006 23:57:11 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.13.1/8.13.3) id k18Nv3XP043052;
	Wed, 8 Feb 2006 17:57:03 -0600 (CST) (envelope-from dan)
Date: Wed, 8 Feb 2006 17:57:03 -0600
From: Dan Nelson <dnelson@allantgroup.com>
To: Drew Tomlinson <drew@mykitchentable.net>
Message-ID: <20060208235703.GG78323@dan.emsphone.com>
References: <43EA75C6.4010204@mykitchentable.net> <43EA7A89.7090501@mac.com>
	<43EA7C7C.8060500@mykitchentable.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <43EA7C7C.8060500@mykitchentable.net>
X-OS: FreeBSD 5.4-STABLE
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.11
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Best Way To Block Range of Addresses with ipfw2?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2006 23:57:12 -0000

In the last episode (Feb 08), Drew Tomlinson said:
> On 2/8/2006 3:11 PM Chuck Swiger wrote:
> >Drew Tomlinson wrote:
> >>I want to deny access to addresses in this range:
> >>
> >>84.57.113.0 - 84.61.96.255
> >>
> >>What is the best way to specify this range for ipfw2?  There must
> >>be a better way than listing a whole bunch of individual networks.
> >
> >deny ip from 84.56.0.0/13 to any
> >
> >...comes pretty close.  Use finer-grained allow rule before that if you 
> >need to pass stuff in 84.56.0.0/16, for example.
> 
> Thanks.  I found that too but was just wondering if there was a way
> to be exact.

You could use an ipfw table to store the required subnets that cover
your range; according to the manpage it's the most efficient way to
store large address sets, and it also saves you from cluttering up your
ruleset.

-- 
	Dan Nelson
	dnelson@allantgroup.com