Date: Wed, 24 Dec 2003 14:09:12 +1000
From: "Robert Chalmers" <robert@the-mission-of-our-lady-of-fatima.org>
To: <freebsd-security@freebsd.org>
Subject: address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
Message-ID: <004301c3c9d3$b0219860$1a6001cb@chalmers.com.au>
next in thread | raw e-mail | index | archive | help
The man page gives this example, however, when I attempt to use it, it =
seems
to block the whole set?
Could someone tell me what's going wrong here please. Thanks heaps..
This works,
${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}
This blocks the whole IP block, not just the list?
${fwcmd} add deny log all from any to =
203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}
the man page bit...
list: {num | num-num}[,list]
Matches all addresses with base address addr (specified as =
a
dot-
ted quad or a hostname) and whose last byte is in the list
between braces { } . Note that there must be no spaces =
between
braces and numbers (spaces after commas are allowed). =
Elements
of the list can be specified as single entries or ranges. =
The
masklen field is used to limit the size of the set of
addresses,
and can have any value between 24 and 32. If not specified, =
it
will be assumed as 24.
This format is particularly useful to handle sparse address
sets
within a single rule. Because the matching occurs using a =
bit-
mask, it takes constant time and dramatically reduces the =
com-
plexity of rulesets.
As an example, an address specified as =
1.2.3.4/24{128,35-55,89}
will match the following IP addresses:
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
Thanks
Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004301c3c9d3$b0219860$1a6001cb>