Date: Wed, 24 Dec 2003 16:38:09 +1000
From: "Robert Chalmers" <robert@the-mission-of-our-lady-of-fatima.org>
To: "security" <freebsd-security@freebsd.org>
Subject: Re: address specified as 1.2.3.4/24{128,35-55,89} Is this Correct????
Message-ID: <000001c3c9fb$47129400$1a6001cb@chalmers.com.au>
References: <004301c3c9d3$b0219860$1a6001cb@chalmers.com.au> <103305460579.20031223222411@vkt.lt>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
sorry,. that must have been just word wrap
203.1.96.0/24{6-25,27-154,156-199,204-254} in via ${oif}
It is actatually one line, no spaces or gaps.
${fwcmd} add deny log all from any to =
203.1.96.0/24{6-25,27-154,156-199,204-254} in via ${oif}
this command kills the whole thing ? strange.
Robert
----- Original Message -----=20
From: hugle=20
To: Robert Chalmers ; security=20
Sent: Wednesday, December 24, 2003 4:24 PM
Subject: Re: address specified as 1.2.3.4/24{128,35-55,89} Is this =
Correct????
RC> The man page gives this example, however, when I attempt to use =
it, it seems
RC> to block the whole set?
RC> Could someone tell me what's going wrong here please. Thanks =
heaps..
RC> This works,
RC> ${fwcmd} add deny log all from any to 203.1.96.1 in via =
${oif}
RC> This blocks the whole IP block, not just the list?
RC> ${fwcmd} add deny log all from any to
RC> 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}
maybe "156-19 9" ? You have a space ( " " ) in here, so try out:
${fwcmd} add deny log all from any to =
203.1.96.0/24{2,6-25,27-154,156-199,204-254} in via ${oif}
RC> the man page bit...
RC> list: {num | num-num}[,list]
RC> Matches all addresses with base address addr =
(specified as a
RC> dot-
RC> ted quad or a hostname) and whose last byte is in the =
list
RC> between braces { } . Note that there must be no =
spaces between
RC> braces and numbers (spaces after commas are allowed). =
Elements
RC> of the list can be specified as single entries or =
ranges. The
RC> masklen field is used to limit the size of the set of
RC> addresses,
RC> and can have any value between 24 and 32. If not =
specified, it
RC> will be assumed as 24.
RC> This format is particularly useful to handle sparse =
address
RC> sets
RC> within a single rule. Because the matching occurs =
using a bit-
RC> mask, it takes constant time and dramatically reduces =
the com-
RC> plexity of rulesets.
RC> As an example, an address specified as =
1.2.3.4/24{128,35-55,89}
RC> will match the following IP addresses:
RC> 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
RC> Thanks
RC> Robert
RC> _______________________________________________
RC> freebsd-security@freebsd.org mailing list
RC> http://lists.freebsd.org/mailman/listinfo/freebsd-security
RC> To unsubscribe, send any mail to
RC> "freebsd-security-unsubscribe@freebsd.org"
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to =
"freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c3c9fb$47129400$1a6001cb>