From owner-freebsd-hackers  Tue Sep 17 19:51:46 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id TAA28361
          for hackers-outgoing; Tue, 17 Sep 1996 19:51:46 -0700 (PDT)
Received: from veda.is (root@ubiq.veda.is [193.4.230.60])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA28319
          for <freebsd-hackers@freebsd.org>; Tue, 17 Sep 1996 19:51:41 -0700 (PDT)
Received: (from adam@localhost) by veda.is (8.7.5/8.7.3) id CAA11480 for freebsd-hackers@freebsd.org; Wed, 18 Sep 1996 02:51:30 GMT
From: Adam David <adam@veda.is>
Message-Id: <199609180251.CAA11480@veda.is>
Subject: IPFW !IP#
To: freebsd-hackers@freebsd.org
Date: Wed, 18 Sep 1996 02:51:28 +0000 (GMT)
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I can implement exclusion of a block of IP addresses at low execution cost.
Does anyone dislike this idea? Which flags mask would be more preferred for
this purpose, 0xc000 or 0x0003? (does anything already use 0x0003?)
Are the unused flags perhaps reserved for something more useful than this?

# ipfw add deny all from !${my_network}:${my_netmask} to any out via ${gate_if}
# ipfw add deny all from any to !${my_network}:${my_netmask} in via ${gate_if}

This set of 2 rules would otherwise take 48 rules to enforce for a class C
network with a single domain gateway, for instance.

--
Adam David <adam@veda.is>