Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 2 Dec 2003 01:48:03 -0500
From:      "Kerry B. Rogers" <kbrogers@tinkertoys.net>
To:        <freebsd-bugs@freebsd.org>
Subject:   hosts.allow not always working... misses some IPs
Message-ID:  <000d01c3b8a0$40a35530$0400a8c0@internalprocess>
next in thread | raw e-mail | index | archive | help 
> > Kerry B. Rogers wrote:
> > Dear Whomever,
> >
> > I received an e-mail with the following header fragment:
> >
> > ====== cut here =======
> > Received: from priv-edtnes11-hme0.telusplanet.net (outbound03.telus.net
> > [199.185.220.222])
> >  by tinkertoys.net (8.12.10/8.11.6) with ESMTP id hANMNpKS021237;
> >  Sun, 23 Nov 2003 15:23:51 -0700 (MST)
> >
> > ====== cut here =======
> >
> > In my hosts.allow file (which usually rejects domains just fine) I have:
> >
> > ====== cut here =======
> > smtp : 199.185.220.0/255.255.251.0 : deny
> > ====== cut here =======
> >
> > The above listed e-mail should have been rejected but it wasn't. Is this
a
> > bug? Is a 975K host.allow file creating this problem? Please help...
>
> I think the netmask is wrong.  When you apply the third octet of the
> netmask (251) to the IP address (220) the result will be 216, which is
> then compared with 220.  Since the numbers differ the rule doesn't
> apply, which is to be expected.
>
> Are you sure that the netmask's third octet shouldn't have been 254, 252
> or 248 instead for proper masking, depending on the range of addresses
> you'd like to cover?
>
>     Uwe

Uwe... how did you come up with netmask 251 applied to 220 equals 216? I'm
confused about how one
would determine the proper netmask. I think my formula is wrong and would
like to get it right. I'm trying to convert the ARIN data line:

arin|CA|ipv4|199.185.220.0|1280|19940222|assigned

to a hosts.allow line and come up with:

smtp : 199.185.220.0/255.255.251.0 : deny

using the formula:

MaskFromIPRange = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") -
(IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP)))

or, translated symbolically:

Mask = 255.255.255.255 - 199.185.224.255 - 199.185.220.0

which (mathematically) is:

Mask = 4294967295 - 3350847743 - 3350846464

I guess using 255.255.255.255 and subtracting the difference of the IP range
is not the proper way to arrive at a netmask. What is? Anyone?

Thanks,

Kerry

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c3b8a0$40a35530$0400a8c0>