From owner-freebsd-questions@FreeBSD.ORG Sun Apr 4 15:19:19 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 335921065670 for ; Sun, 4 Apr 2010 15:19:19 +0000 (UTC) (envelope-from ashley@cpufight.com) Received: from mailout01.c06.mtsvc.net (mailout01.c06.mtsvc.net [70.32.122.157]) by mx1.freebsd.org (Postfix) with ESMTP id 158438FC19 for ; Sun, 4 Apr 2010 15:19:18 +0000 (UTC) Received: from n12.c06.mtsvc.net ([205.186.184.12]) by mailout01.c06.mtsvc.net with esmtp (Exim 4.69) (envelope-from ) id 1NyRRj-000239-TT for freebsd-questions@freebsd.org; Sun, 04 Apr 2010 08:09:07 -0700 Received: from c-71-206-217-73.hsd1.pa.comcast.net ([71.206.217.73]:53157 helo=brie.homeunix.net) by n12.c06.mtsvc.net with esmtpa (Exim 4.63) (envelope-from ) id 1NyRRc-0005Se-Ss for freebsd-questions@freebsd.org; Sun, 04 Apr 2010 08:09:02 -0700 Message-ID: <4BB8AA05.3010506@cpufight.com> Date: Sun, 04 Apr 2010 11:02:29 -0400 From: Ashley User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-User: 87125 ashley@cpufight.com X-Spam-Status: "score=3.1 tests=ALL_TRUSTED, RATWARE_GECKO_BUILD version=3.2.4 cmae=v=1.0 c=1 a=IkcTkHD0fZMA:10 a=fVE0JWLXyJjl1qoD4r2kNg==:17 a=l2FEF93ZAAAA:8 a=WjLnJsY2-T_nqLkHVrMA:9 a=9JnHffFkRp7GsZManuqOMHC-dqoA:4 a=QEXdDO2ut3YA:10 xcat=Undefined/Undefined" X-Spam-Level: *** Subject: Re: Configuring IPFW IP range X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2010 15:19:19 -0000 On 04/04/2010 09:11 AM, Carmel NY wrote: > This is my first attempt at configuring IPFW. I have it up and running; > however, I am not quite sure how to accomplish configuring it to block > an IP range. > > Assume an IP range: 219.128.0.0 to 219.137.255.255 > > That is an actual range: CHINANET Guangdong province network > > I want to block the entire range. I am not sure how to do it in IPFW. I > have read the 'man' pages; however, I am not getting the syntax correct > since I cannot get the range added. Carmel, Have you tried something like what's mentioned in this excerpt quoted below?: Network-based filtering works similarly, and the network notation there utilizes either bitmasks or netmasks, for instance: add 2000 allow all from 192.168.0.0/16 to any add 2100 deny all from any to 10.0.0.0:255.0.0.0 The first rule allows all traffic from the network whose IP range is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A bitmask specifies how many bits from the network address (192.168.0.0) should remain the same for matching packets. In this instance, the first 16 bits out of the 32 bit address will remain the same, and as the first 16 bits happen to be the first two octets, 192.168, all addresses whose source addresses have the first two octets as 192.168 will be matched by this rule. The second rule accomplishes a similar thing using netmasks. The netmask indicate how many bits from the indicated network address should be used for rule matching. In the above example, for rule two, the netmask is 255.0.0.0. Its first octet is set with high bits; in other words, the first 8 bits are set high. This indicates to ipfw(8) that only packets with the first 8 bits of the network address (10.0.0.0) should be matched. As the first 8 bits of the network address equal 10, then all packets whose destination address have a 10 for the first octet (all addresses between 10.0.0.0 and 10.255.255.255) will be matched by this rule, and then dropped, as indicated by the action. (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO) -- Ashley