Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Dec 2003 16:38:09 +1000
From:      "Robert Chalmers" <robert@the-mission-of-our-lady-of-fatima.org>
To:        "security" <freebsd-security@freebsd.org>
Subject:   Re: address specified as 1.2.3.4/24{128,35-55,89} Is this Correct????
Message-ID:  <000001c3c9fb$47129400$1a6001cb@chalmers.com.au>
References:  <004301c3c9d3$b0219860$1a6001cb@chalmers.com.au> <103305460579.20031223222411@vkt.lt>
index | next in thread | previous in thread | raw e-mail 

Hi,
sorry,. that must have been just word wrap

203.1.96.0/24{6-25,27-154,156-199,204-254} in via ${oif}

It is actatually one line, no spaces or gaps.

${fwcmd} add deny log all from any to 203.1.96.0/24{6-25,27-154,156-199,204-254} in via ${oif}

this command kills the whole thing ?  strange.

Robert
  ----- Original Message ----- 
  From: hugle 
  To: Robert Chalmers ; security 
  Sent: Wednesday, December 24, 2003 4:24 PM
  Subject: Re: address specified as 1.2.3.4/24{128,35-55,89} Is this Correct????


  RC> The man page gives this example, however, when I attempt to use it, it seems
  RC> to block the whole set?

  RC> Could someone tell me what's going wrong here please. Thanks heaps..

  RC> This works,
  RC>         ${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}

  RC> This blocks the whole IP block, not just the list?
  RC>        ${fwcmd} add deny log all from any to
  RC> 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}

  maybe "156-19 9" ? You have a space ( " " ) in here, so try out:
  ${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-199,204-254} in via ${oif}
  RC> the man page bit...



  RC>      list: {num | num-num}[,list]
  RC>              Matches all addresses with base address addr (specified as a
  RC> dot-
  RC>              ted quad or a hostname) and whose last byte is in the list
  RC>              between braces { } .  Note that there must be no spaces between
  RC>              braces and numbers (spaces after commas are allowed).  Elements
  RC>              of the list can be specified as single entries or ranges.  The
  RC>              masklen field is used to limit the size of the set of
  RC> addresses,
  RC>              and can have any value between 24 and 32. If not specified, it
  RC>              will be assumed as 24.
  RC>              This format is particularly useful to handle sparse address
  RC> sets
  RC>              within a single rule. Because the matching occurs using a bit-
  RC>              mask, it takes constant time and dramatically reduces the com-
  RC>              plexity of rulesets.
  RC>              As an example, an address specified as 1.2.3.4/24{128,35-55,89}
  RC>              will match the following IP addresses:
  RC>              1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .


  RC> Thanks
  RC> Robert
  RC> _______________________________________________
  RC> freebsd-security@freebsd.org mailing list
  RC> http://lists.freebsd.org/mailman/listinfo/freebsd-security
  RC> To unsubscribe, send any mail to
  RC> "freebsd-security-unsubscribe@freebsd.org"




  _______________________________________________
  freebsd-security@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-security
  To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c3c9fb$47129400$1a6001cb>