From owner-freebsd-questions@FreeBSD.ORG Wed Mar 9 16:27:16 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F0AA16A4CE for ; Wed, 9 Mar 2005 16:27:16 +0000 (GMT) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6C2943D31 for ; Wed, 9 Mar 2005 16:27:15 +0000 (GMT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.13.1/8.13.1) id j29GREDJ010044; Wed, 9 Mar 2005 10:27:14 -0600 (CST) (envelope-from dan) Date: Wed, 9 Mar 2005 10:27:14 -0600 From: Dan Nelson To: Darek Milewski Message-ID: <20050309162714.GJ37452@dan.emsphone.com> References: <422F213F.7000407@nyi.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <422F213F.7000407@nyi.net> X-OS: FreeBSD 5.3-STABLE X-message-flag: Outlook Error User-Agent: Mutt/1.5.8i cc: freebsd-questions@freebsd.org Subject: Re: ipfw IP ranges X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2005 16:27:16 -0000 In the last episode (Mar 09), Darek Milewski said: > trying to specify IP ranges in ipfw. The man page is pretty brief in > this respect, but I understand that I should be able to specify > > allow tcp from any to 1.2.3.0/25{14-24} 3389 > > which should apply the rule to IP block of 1.2.3.14 through 1.2.3.24. > However, I was just closing down 1.2.3.127 and noticed that a port > that was closed was accessible. Turns out the rule above was > matching traffic going to 1.2.3.127:3389. > > When running 'ipfw show' the allow from above is listed as > > allow tcp from any to 1.2.3.0/25 3389 Works for me on 5.3: # ipfw add 400 allow tcp from any to "1.2.3.0/25{14-24}" 3389 00400 allow tcp from any to 1.2.3.0/25{14-24} dst-port 3389 # ipfw show 00400 0 0 allow tcp from any to 1.2.3.0/25{14-24} dst-port 3389 > So it looks like my original syntax enabled the rule for the whole /25 > subnet. Am I doing this wrong? If so, how can I specify ranges > explicitly, meaning not using smaller subnets. IE: 1.2.3.14-27 instead > of 1.2.3.14/28, which would not be very precise of a match. Perhaps I > should be using /24 istead of /25? Yes; the ipfw manpage has this example: As an example, an address specified as 1.2.3.4/24{128,35-55,89} will match the following IP addresses: 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . Although I think a much better syntax would be 1.2.3.{128,35-55,89}. -- Dan Nelson dnelson@allantgroup.com