Date: Wed, 18 Sep 1996 16:21:01 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: adam@veda.is (Adam David) Cc: freebsd-hackers@freebsd.org Subject: Re: IPFW !IP# Message-ID: <199609180621.XAA26942@freefall.freebsd.org> In-Reply-To: <199609180251.CAA11480@veda.is> from "Adam David" at Sep 18, 96 02:51:28 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Adam David, sie said:
>
> I can implement exclusion of a block of IP addresses at low execution cost.
> Does anyone dislike this idea? Which flags mask would be more preferred for
> this purpose, 0xc000 or 0x0003? (does anything already use 0x0003?)
> Are the unused flags perhaps reserved for something more useful than this?
>
> # ipfw add deny all from !${my_network}:${my_netmask} to any out via ${gate_if}
> # ipfw add deny all from any to !${my_network}:${my_netmask} in via ${gate_if}
>
> This set of 2 rules would otherwise take 48 rules to enforce for a class C
> network with a single domain gateway, for instance.
This is just rule writing.
HOw about:
# ipfw add pass all from ${my_network}:${my_netmask} to any out via ${gate_if}
# ipfw add pass all from any to ${my_network}:${my_netmask} in via ${gate_if}
# ipfw add deny all from any to any out via ${gate_if}
# ipfw add deny all from any to any in via ${gate_if}
Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609180621.XAA26942>