From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 19:47:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 612D216A4CE for ; Tue, 23 Dec 2003 19:47:50 -0800 (PST) Received: from nanguo.chalmers.com.au (220-244-9-90-qld.tpgi.com.au [220.244.9.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7265343D2D for ; Tue, 23 Dec 2003 19:47:40 -0800 (PST) (envelope-from robert@chalmers.com.au) Received: from carbon (carbon.chalmers.com.au [203.1.96.26]) hBO3ld1j001033 for ; Wed, 24 Dec 2003 13:47:39 +1000 (EST) Message-ID: <002201c3c9d0$ad79ff60$1a6001cb@chalmers.com.au> From: "Robert Chalmers" To: Date: Wed, 24 Dec 2003 13:47:39 +1000 Organization: The Mission of Our Lady of Fatima MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Robert Chalmers List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2003 03:47:50 -0000 The man page gives this example, however, when I attempt to use it, it = ssems to block the whole set? Could someone tell me what's going wrong here please. Thanks heaps.. This works, ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif} This blocks the whole IP block, not just the list? ${fwcmd} add deny log all from any to = 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif} the man page bit... list: {num | num-num}[,list] Matches all addresses with base address addr (specified as = a dot- ted quad or a hostname) and whose last byte is in the list between braces { } . Note that there must be no spaces = between braces and numbers (spaces after commas are allowed). = Elements of the list can be specified as single entries or ranges. = The masklen field is used to limit the size of the set of addresses, and can have any value between 24 and 32. If not specified, = it will be assumed as 24. This format is particularly useful to handle sparse address sets within a single rule. Because the matching occurs using a = bit- mask, it takes constant time and dramatically reduces the = com- plexity of rulesets. As an example, an address specified as = 1.2.3.4/24{128,35-55,89} will match the following IP addresses: 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 . Thanks Robert