From owner-freebsd-questions Thu Aug 16 10:32:48 2001 Delivered-To: freebsd-questions@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id BFBD237B405; Thu, 16 Aug 2001 10:32:38 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.128.59.Dial1.SanJose1.Level3.net [209.245.128.59]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id KAA13902; Thu, 16 Aug 2001 10:31:58 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7GGuFT05051; Thu, 16 Aug 2001 09:56:15 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 09:56:15 -0700 From: "Crist J. Clark" To: Nate Williams Cc: Peter Pentchev , default - Subscriptions , freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Easy IPFW question... Message-ID: <20010816095615.C4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15224.895.861427.828038@nomad.yogotech.com>; from nate@yogotech.com on Mon, Aug 13, 2001 at 10:42:39AM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > 255.255.0.0 ... > > > > > > The rule I tried was this: > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > also zeroed in the address. > > If so, then the ipfw parser is borken. :( > > It *shouldn't* matter what the last two bytes in this case are, as it > doesn't matter to any of the other routing protocols. I cannot reproduce this. On a 4.4-PREPRELEASE system, vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any 01000 count ip from 192.168.0.0/16 to any vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any 01001 count ip from 192.168.0.0/16 to any vegeta# ipfw sh 01000 12 1268 count ip from 192.168.0.0/16 to any 01001 12 1268 count ip from 192.168.0.0/16 to any 65000 17743 4318556 allow ip from any to any 65535 0 0 deny ip from any to any The host bits are automatically zeroed in my first ipfw(8) command. What version is the original poster using? What do the rules look like when he does a 'show?' This might not be his problem at all. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message