Date: Tue, 2 Aug 2016 15:14:25 +0200 From: Willem Jan Withagen <wjw@digiware.nl> To: Julian Elischer <julian@freebsd.org>, "Dr. Rolf Jansen" <rj@obsigna.com>, freebsd-ipfw@freebsd.org Subject: Re: ipfw divert filter for IPv4 geo-blocking Message-ID: <2e7d84c7-e962-e131-b788-81a6489b9f95@digiware.nl> In-Reply-To: <d312fa79-ae83-6054-3ef0-18631c40227e@freebsd.org> References: <61DFB3E2-6E34-4EEA-8AC6-70094CEACA72@cyclaero.com> <CAHu1Y739PvFqqEKE74BjzgLa7NNG6Kh55NPnU5MaA-8HsrjkFw@mail.gmail.com> <4D047727-F7D0-4BEE-BD42-2501F44C9550@obsigna.com> <c2cd797d-66db-8673-af4e-552dfa916a76@freebsd.org> <9641D08A-0501-4AA2-9DF6-D5AFE6CB2975@obsigna.com> <4d76a492-17ae-cbff-f92f-5bbbb1339aad@freebsd.org> <C0CC7001-16FE-40BF-A96A-1FA51A0AFBA7@obsigna.com> <677900fb-c717-743f-fcfe-86b603466e33@freebsd.org> <0D3C9016-7A4A-46BA-B35F-3844D07562A8@obsigna.com> <CAFPNf59w6BHgDjLNHW=rQckZAFG4gqPHL49vLXiDmMAxVPOcKg@mail.gmail.com> <1E1DB7E0-D354-4D7A-B657-0ECF94C12CE0@obsigna.com> <50d405a4-3f8f-a706-9cac-d1162925e56a@freebsd.org> <c62fa048-63c8-aef6-5bad-b0a6719f6acb@freebsd.org> <9222BB10-C700-4DE7-83A3-BE7A38A11713@obsigna.com> <1B36CAD7-A139-436B-B7EC-0FFF232F9C6A@obsigna.com> <d312fa79-ae83-6054-3ef0-18631c40227e@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1-8-2016 07:22, Julian Elischer wrote: > On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote: >> >> I am still a little bit amazed how ipfw come to accept incorrect CIDR >> ranges and arbitrarily moves the start/end addresses in order to >> achieve CIDR conformity, and that without any further notice, and that >> given that ipfw can be considered as being quite relevant to system >> security. Or, may I assume that ipfw knows always better than the user >> what should be allowed or denied. Otherwise, perhaps I am the only one >> ever who input incorrect CIDR ranges for processing by ipfw. > it's not so amazing when you think about it. The code comes from the > routing table.. > > In this context a.b.c.d/N means "the range of addresses containing > a.b.c.d, masked to a length of N". there is no specification that > a.b.c.d is the first address of the range. I have relied upon this > behaviour many times. I happily agree with Julian.... Rarely have I given the exact address of a router and it's net much thought. And apply happily a.b.c.27/26 in ipfw, assuming that ipfw would figure out what the actual network part of the address was. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e7d84c7-e962-e131-b788-81a6489b9f95>