Date: Mon, 13 Aug 2001 16:56:04 +0300 From: Peter Pentchev <roam@ringlet.net> To: default - Subscriptions <default013subscriptions@hotmail.com> Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Easy IPFW question... Message-ID: <20010813165603.B1119@ringworld.oblivion.bg> In-Reply-To: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com>; from default013subscriptions@hotmail.com on Mon, Aug 13, 2001 at 02:12:29AM -0500 References: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Aug 13, 2001 at 02:12:29AM -0500, default - Subscriptions wrote: > Hi, > > I'm kinda new to IPFW, and I was unable to figure this out by myself... > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > 255.255.0.0 ... > > The rule I tried was this: > ipfw add deny log all from 192.168.0.1/16 to any via ed0 Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be also zeroed in the address. This is so because of the way the address/netmask calculations are performed: when an address, say 192.168.5.12, is tested against a 192.168.0.0/16 combination, a bitwise 'and' operation is performed between the address to check (192.168.5.12) and the netmask (255.255.0.0). Then, the result - 192.168.0.0 - is compared to the network address that you have specified. Since the 'and' operation clears the last 16 bits, a network address of 192.168.0.1 cannot match anything - it has its last bit set. Try 192.168.0.0/16, it will probably work. If it fails, try 192.168.0.0/255.255.0.0. G'luck, Peter -- I am the meaning of this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010813165603.B1119>