Date: Tue, 2 Dec 2003 15:52:23 -0500 From: "Kerry B. Rogers" <kbrogers@tinkertoys.net> To: <freebsd-bugs@freebsd.org> Subject: hosts.allow not always working... misses some IPs Message-ID: <006701c3b916$39a1f400$0400a8c0@internalprocess>
next in thread | raw e-mail | index | archive | help
>>Kerry B. Rogers wrote:
>>>>[...]
>>>>I think the netmask is wrong. When you apply the third octet of the
>>>>netmask (251) to the IP address (220) the result will be 216, which is
>>>>then compared with 220. Since the numbers differ the rule doesn't
>>>>apply, which is to be expected.
>>>>
>>>>Are you sure that the netmask's third octet shouldn't have been 254, 252
>>>>or 248 instead for proper masking, depending on the range of addresses
>>>>you'd like to cover?
>>>
>>> Uwe... how did you come up with netmask 251 applied to 220 equals 216? I'm
>>> confused about how one
>>> would determine the proper netmask. I think my formula is wrong and would
>>> like to get it right. I'm trying to convert the ARIN data line:
>>>
>>> arin|CA|ipv4|199.185.220.0|1280|19940222|assigned
>>>
>>> to a hosts.allow line and come up with:
>>>
>>> smtp : 199.185.220.0/255.255.251.0 : deny
>>>
>>> using the formula:
>>>
>>> MaskFromIPRange = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") -
>>> (IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP)))
>>>
>>> or, translated symbolically:
>>>
>>> Mask = 255.255.255.255 - 199.185.224.255 - 199.185.220.0
>>>
>>> which (mathematically) is:
>>>
>>> Mask = 4294967295 - 3350847743 - 3350846464
>>>
>>> I guess using 255.255.255.255 and subtracting the difference of the IP range
>>> is not the proper way to arrive at a netmask. What is? Anyone?
>>
>>Netmasks are supposed to be calculated bit-wise, not by subtraction, and
>>they can cover only address ranges that are a power of two. So you need
>>two ranges in your case: the first 1024 addresses and the remaining 256
>>(adds up to 1280). In C syntax the formular for the netmask would be:
>>
>> netmask = ^(number_of_addresses - 1);
>>
>>This results in
>>
>> smtp : 199.185.220.0/255.255.252.0 199.185.224.0/255.255.255.0 : deny
>>
>>If you don't have a calculator with a binary mode you can easily do this
>>bit by bit on a piece of paper. First write down 1023 (1024 - 1) in
>>binary form (all 32 bits representing an IPv4 address), then invert the
>>bits, and finally convert them back into a decimal number. Do the same
>>for the second range (256 - 1), and adapt the base address for this
>>range accordingly.
>>
>>Hope this explanation was clear enough.
>>
>> Uwe
Uwe, thanks so very much for helping me out here. If I have you correct, then the following would be correct, right?:
arin|US|ipv4|24.30.0.0|24576|0|allocated
smtp : 24.30.0.0/255.255.192.0 24.30.64.0/255.255.224.0 : deny
Thanks,
Kerry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?006701c3b916$39a1f400$0400a8c0>