From owner-freebsd-bugs@FreeBSD.ORG Tue Dec 2 12:51:05 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 107CE16A4CE for ; Tue, 2 Dec 2003 12:51:05 -0800 (PST) Received: from tinkertoys.net (tinkertoys.net [161.58.152.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE70143FE3 for ; Tue, 2 Dec 2003 12:51:01 -0800 (PST) (envelope-from kbrogers@tinkertoys.net) Received: from internalprocess (eep.burdell.org [216.27.160.200] (may be forged)) by tinkertoys.net (8.12.10/8.11.6) with SMTP id hB2Kp0uB065579 for ; Tue, 2 Dec 2003 13:51:00 -0700 (MST) Message-ID: <006701c3b916$39a1f400$0400a8c0@internalprocess> From: "Kerry B. Rogers" To: Date: Tue, 2 Dec 2003 15:52:23 -0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: hosts.allow not always working... misses some IPs X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2003 20:51:05 -0000 >>Kerry B. Rogers wrote: >>>>[...] >>>>I think the netmask is wrong. When you apply the third octet of the >>>>netmask (251) to the IP address (220) the result will be 216, which = is >>>>then compared with 220. Since the numbers differ the rule doesn't >>>>apply, which is to be expected. >>>> >>>>Are you sure that the netmask's third octet shouldn't have been 254, = 252 >>>>or 248 instead for proper masking, depending on the range of = addresses >>>>you'd like to cover? >>>=20 >>> Uwe... how did you come up with netmask 251 applied to 220 equals = 216? I'm >>> confused about how one >>> would determine the proper netmask. I think my formula is wrong and = would >>> like to get it right. I'm trying to convert the ARIN data line: >>>=20 >>> arin|CA|ipv4|199.185.220.0|1280|19940222|assigned >>>=20 >>> to a hosts.allow line and come up with: >>>=20 >>> smtp : 199.185.220.0/255.255.251.0 : deny >>>=20 >>> using the formula: >>>=20 >>> MaskFromIPRange =3D = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") - >>> (IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP))) >>>=20 >>> or, translated symbolically: >>>=20 >>> Mask =3D 255.255.255.255 - 199.185.224.255 - 199.185.220.0 >>>=20 >>> which (mathematically) is: >>>=20 >>> Mask =3D 4294967295 - 3350847743 - 3350846464 >>>=20 >>> I guess using 255.255.255.255 and subtracting the difference of the = IP range >>> is not the proper way to arrive at a netmask. What is? Anyone? >> >>Netmasks are supposed to be calculated bit-wise, not by subtraction, = and=20 >>they can cover only address ranges that are a power of two. So you = need=20 >>two ranges in your case: the first 1024 addresses and the remaining = 256=20 >>(adds up to 1280). In C syntax the formular for the netmask would be: >> >> netmask =3D ^(number_of_addresses - 1); >> >>This results in >> >> smtp : 199.185.220.0/255.255.252.0 199.185.224.0/255.255.255.0 : = deny >> >>If you don't have a calculator with a binary mode you can easily do = this=20 >>bit by bit on a piece of paper. First write down 1023 (1024 - 1) in=20 >>binary form (all 32 bits representing an IPv4 address), then invert = the=20 >>bits, and finally convert them back into a decimal number. Do the = same=20 >>for the second range (256 - 1), and adapt the base address for this=20 >>range accordingly. >> >>Hope this explanation was clear enough. >> >> Uwe Uwe, thanks so very much for helping me out here. If I have you correct, = then the following would be correct, right?: arin|US|ipv4|24.30.0.0|24576|0|allocated smtp : 24.30.0.0/255.255.192.0 24.30.64.0/255.255.224.0 : deny Thanks, Kerry