Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Dec 2003 22:24:11 -0800
From:      hugle <hugle@vkt.lt>
To:        Robert Chalmers <robert@the-mission-of-our-lady-of-fatima.org>, security <freebsd-security@FreeBSD.org>
Subject:   Re: address specified as 1.2.3.4/24{128,35-55,89} Is this Correct ????
Message-ID:  <103305460579.20031223222411@vkt.lt>
In-Reply-To: <004301c3c9d3$b0219860$1a6001cb@chalmers.com.au>
References:  <004301c3c9d3$b0219860$1a6001cb@chalmers.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
RC> The man page gives this example, however, when I attempt to use it, it seems
RC> to block the whole set?

RC> Could someone tell me what's going wrong here please. Thanks heaps..

RC> This works,
RC>         ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}

RC> This blocks the whole IP block, not just the list?
RC>        ${fwcmd} add deny log all from any to
RC> 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}

maybe "156-19 9" ? You have a space ( " " ) in here, so try out:
${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-199,204-254} in via ${oif}
RC> the man page bit...



RC>      list: {num | num-num}[,list]
RC>              Matches all addresses with base address addr (specified as a
RC> dot-
RC>              ted quad or a hostname) and whose last byte is in the list
RC>              between braces { } .  Note that there must be no spaces between
RC>              braces and numbers (spaces after commas are allowed).  Elements
RC>              of the list can be specified as single entries or ranges.  The
RC>              masklen field is used to limit the size of the set of
RC> addresses,
RC>              and can have any value between 24 and 32. If not specified, it
RC>              will be assumed as 24.
RC>              This format is particularly useful to handle sparse address
RC> sets
RC>              within a single rule. Because the matching occurs using a bit-
RC>              mask, it takes constant time and dramatically reduces the com-
RC>              plexity of rulesets.
RC>              As an example, an address specified as 1.2.3.4/24{128,35-55,89}
RC>              will match the following IP addresses:
RC>              1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .


RC> Thanks
RC> Robert
RC> _______________________________________________
RC> freebsd-security@freebsd.org mailing list
RC> http://lists.freebsd.org/mailman/listinfo/freebsd-security
RC> To unsubscribe, send any mail to
RC> "freebsd-security-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?103305460579.20031223222411>