Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Nov 2002 12:31:40 +0200
From:      David =?iso-8859-1?Q?Sieb=F6rger?= <drs@rucus.ru.ac.za>
To:        Ian Kettleborough <ian@idk.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: How do I need with ipfw to block this
Message-ID:  <20021107103140.GD385@rucus.ru.ac.za>
In-Reply-To: <200211070645.WAA29688@idk.com>
References:  <200211070645.WAA29688@idk.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 10:45 PM on Wednesday  6 November 2002, Ian Kettleborough wrote:
> I need to block a complete site:
> 
> xxx.1.0.0 thru xxx.100.255.255
> 
> I undertand how to use ipfw but I need some help in figuring out this one?
> 
> ipfw add xx deny ip from xxx.1.0.0/zz to any
> 
> The zz is what I cannot figure out for this group of IP's.

This is why it pays to allocate IP blocks on CIDR boundaries, rather
than decimal round numbers.  You could use rules like this:

    100 deny ip from xxx.1.0.0/16 to any
    100 deny ip from xxx.2.0.0/15 to any
    100 deny ip from xxx.4.0.0/14 to any
    100 deny ip from xxx.8.0.0/13 to any
    100 deny ip from xxx.16.0.0/12 to any
    100 deny ip from xxx.32.0.0/11 to any
    100 deny ip from xxx.64.0.0/11 to any
    100 deny ip from xxx.96.0.0/14 to any
    100 deny ip from xxx.100.0.0/16 to any

If you include xxx.0.0.0 to xxx.0.255.255, that simplifies to:

    100 deny ip from xxx.0.0.0/11 to any
    100 deny ip from xxx.32.0.0/11 to any
    100 deny ip from xxx.64.0.0/11 to any
    100 deny ip from xxx.96.0.0/14 to any
    100 deny ip from xxx.100.0.0/16 to any

Alternatively:

    100 skipto 102 ip from xxx.0.0.0/16 to any
    100 skipto 102 ip from xxx.101.0.0/16 to any
    100 skipto 102 ip from xxx.102.0.0/15 to any
    100 skipto 102 ip from xxx.104.0.0/13 to any
    100 skipto 102 ip from xxx.112.0.0/12 to any
    101 deny ip from xxx.0.0.0/9 to any

There are many CIDR calculators (such as net/cidr) available to do
this sort of maths.


-- 
David Siebörger
drs@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021107103140.GD385>