Date: Sun, 04 Apr 2010 11:02:29 -0400 From: Ashley <ashley@cpufight.com> To: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW IP range Message-ID: <4BB8AA05.3010506@cpufight.com> In-Reply-To: <BLU0-SMTP98F509F01B77C70EA14F82931A0@phx.gbl> References: <BLU0-SMTP98F509F01B77C70EA14F82931A0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/04/2010 09:11 AM, Carmel NY wrote: > This is my first attempt at configuring IPFW. I have it up and running; > however, I am not quite sure how to accomplish configuring it to block > an IP range. > > Assume an IP range: 219.128.0.0 to 219.137.255.255 > > That is an actual range: CHINANET Guangdong province network > > I want to block the entire range. I am not sure how to do it in IPFW. I > have read the 'man' pages; however, I am not getting the syntax correct > since I cannot get the range added. Carmel, Have you tried something like what's mentioned in this excerpt quoted below?: Network-based filtering works similarly, and the network notation there utilizes either bitmasks or netmasks, for instance: add 2000 allow all from 192.168.0.0/16 to any add 2100 deny all from any to 10.0.0.0:255.0.0.0 The first rule allows all traffic from the network whose IP range is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A bitmask specifies how many bits from the network address (192.168.0.0) should remain the same for matching packets. In this instance, the first 16 bits out of the 32 bit address will remain the same, and as the first 16 bits happen to be the first two octets, 192.168, all addresses whose source addresses have the first two octets as 192.168 will be matched by this rule. The second rule accomplishes a similar thing using netmasks. The netmask indicate how many bits from the indicated network address should be used for rule matching. In the above example, for rule two, the netmask is 255.0.0.0. Its first octet is set with high bits; in other words, the first 8 bits are set high. This indicates to ipfw(8) that only packets with the first 8 bits of the network address (10.0.0.0) should be matched. As the first 8 bits of the network address equal 10, then all packets whose destination address have a 10 for the first octet (all addresses between 10.0.0.0 and 10.255.255.255) will be matched by this rule, and then dropped, as indicated by the action. (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO) -- Ashley
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BB8AA05.3010506>