From owner-freebsd-security  Thu May  9 15:44: 2 2002
Delivered-To: freebsd-security@freebsd.org
Received: from leaf.lumiere.net (leaf.lumiere.net [208.44.192.100])
	by hub.freebsd.org (Postfix) with ESMTP id 2E45737B413
	for <security@freebsd.org>; Thu,  9 May 2002 15:43:46 -0700 (PDT)
Received: by leaf.lumiere.net (Postfix, from userid 1082)
	id 067C0CD36; Thu,  9 May 2002 15:43:41 -0700 (PDT)
Date: Thu, 9 May 2002 15:43:40 -0700
From: Derrick John Klise <derrick@lumiere.net>
To: Naughty Taz <naughty_taz@hotmail.com>
Cc: security@freebsd.org
Subject: Re: IPFW and IP/mask mathematics
Message-ID: <20020509154340.A8964@leaf.lumiere.net>
References: <200205091557.13783.dowen@pstis.com> <004d01c1f7ae$e752ad90$626a003e@homepc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <004d01c1f7ae$e752ad90$626a003e@homepc>; from naughty_taz@hotmail.com on Fri, May 10, 2002 at 01:11:51AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, May 10, 2002 at 01:11:51AM +0200, Naughty Taz wrote:
> Hehehehe :)
> 
> That was not my intention of course. Observe:
> 
> 1) allow traffic from ANY to IP's in the range (0.0.0.0 - XXX.128.0.0)
> 2) block traffic from ANY to IP's in the range (XXX.128.0.0 -
> XXX.146.159.255)
> 3) allow traffic from ANY to IP's in the range (XXX.146.160.0 -
> 255.255.255.255)
> 
> Is it more clear now?
> 
> /Taz
> 

Well, first try here to find the subnet numberings of the ranges that
you want:    

   http://www.telusplanet.net/public/sparkman/netcalc.htm

I think they also have a more detailed explanation of the dotted decimal
versus the number of bits (a.b.c.d/e) somewhere on the related pages if
you're interested.

Anywho, then take the resulting mask (a.b.c.d/e) and just write the
rules as you normally would:

   ipfw add deny tcp from 1.2.3.0/24 to any

The above would deny tcp from 1.2.3.0 through 1.2.3.255 to any.

-- 
Derrick John Klise			<derrick@lumiere.net>
"I went into a general store, and they wouldn't sell me anything
specific".  -- Steven Wright

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message