From owner-freebsd-ipfw  Thu Nov  7  2:32: 1 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AFB7137B401
	for <freebsd-ipfw@freebsd.org>; Thu,  7 Nov 2002 02:31:59 -0800 (PST)
Received: from server.rucus.ru.ac.za (server.rucus.ru.ac.za [146.231.115.1])
	by mx1.FreeBSD.org (Postfix) with SMTP id 68FDD43E3B
	for <freebsd-ipfw@freebsd.org>; Thu,  7 Nov 2002 02:31:56 -0800 (PST)
	(envelope-from drs@rucus.ru.ac.za)
Received: (qmail 96185 invoked from network); 7 Nov 2002 10:31:44 -0000
Received: from bashir.dsl.ru.ac.za (146.231.113.19)
  by server.rucus.ru.ac.za with SMTP; 7 Nov 2002 10:31:44 -0000
Received: (qmail 1320 invoked by uid 1001); 7 Nov 2002 10:31:40 -0000
Date: Thu, 7 Nov 2002 12:31:40 +0200
From: David =?iso-8859-1?Q?Sieb=F6rger?= <drs@rucus.ru.ac.za>
To: Ian Kettleborough <ian@idk.com>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: How do I need with ipfw to block this
Message-ID: <20021107103140.GD385@rucus.ru.ac.za>
References: <200211070645.WAA29688@idk.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <200211070645.WAA29688@idk.com>
User-Agent: Mutt/1.4i
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

At 10:45 PM on Wednesday  6 November 2002, Ian Kettleborough wrote:
> I need to block a complete site:
> 
> xxx.1.0.0 thru xxx.100.255.255
> 
> I undertand how to use ipfw but I need some help in figuring out this one?
> 
> ipfw add xx deny ip from xxx.1.0.0/zz to any
> 
> The zz is what I cannot figure out for this group of IP's.

This is why it pays to allocate IP blocks on CIDR boundaries, rather
than decimal round numbers.  You could use rules like this:

    100 deny ip from xxx.1.0.0/16 to any
    100 deny ip from xxx.2.0.0/15 to any
    100 deny ip from xxx.4.0.0/14 to any
    100 deny ip from xxx.8.0.0/13 to any
    100 deny ip from xxx.16.0.0/12 to any
    100 deny ip from xxx.32.0.0/11 to any
    100 deny ip from xxx.64.0.0/11 to any
    100 deny ip from xxx.96.0.0/14 to any
    100 deny ip from xxx.100.0.0/16 to any

If you include xxx.0.0.0 to xxx.0.255.255, that simplifies to:

    100 deny ip from xxx.0.0.0/11 to any
    100 deny ip from xxx.32.0.0/11 to any
    100 deny ip from xxx.64.0.0/11 to any
    100 deny ip from xxx.96.0.0/14 to any
    100 deny ip from xxx.100.0.0/16 to any

Alternatively:

    100 skipto 102 ip from xxx.0.0.0/16 to any
    100 skipto 102 ip from xxx.101.0.0/16 to any
    100 skipto 102 ip from xxx.102.0.0/15 to any
    100 skipto 102 ip from xxx.104.0.0/13 to any
    100 skipto 102 ip from xxx.112.0.0/12 to any
    101 deny ip from xxx.0.0.0/9 to any

There are many CIDR calculators (such as net/cidr) available to do
this sort of maths.


-- 
David Siebörger
drs@rucus.ru.ac.za

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message