From owner-freebsd-security Sat Apr 21 9:22:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id C3D4937B422 for ; Sat, 21 Apr 2001 09:22:32 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA32038; Sat, 21 Apr 2001 18:37:15 +0100 Message-Id: <200104211737.SAA32038@mailgate.kechara.net> Date: Sat, 21 Apr 2001 18:25:13 +0100 To: Peter Pentchev Cc: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: ipfw problem Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Peter, Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow ranges?? If the author listening...) I thought I had it for one minute, where I found that ${ip} isn't defined until later on in the script. No such luck. Ah well, thanks Peter! --Lee 1/04/2001 23:07:10, Peter Pentchev wrote: >On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote: >> Hello Peter, >> >> 21/04/2001 22:54:10, Peter Pentchev wrote: >> >> >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote: >> >> Hi there, >> >> >> >> The machine stops booting on either of these two rules, and I have to boot into >> >> single user, remove the rules and reboot. What's wrong with them? >> >> >> >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} >> >> >> >> I also get the same problem on this rule (in place of the one above): >> >> >> >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} >> > >> >Where exactly in the boot process does it 'stop'? What application/program >> >is it trying to execute? Or does ipfw itself hang when adding those rules? >> >> ipfw hangs during boot in trying to add rule 300. > >Well, I think there's something wrong with the rule itself. Nowhere in >the ipfw manpage could I find a syntax for specifying addresses in >an address-address format - it's either a single address, or address/bits, >or address:mask. Though the fact that ipfw hangs is a little disturbing, >I would advise that you rewrite this rule to use proper syntax, though >that might be a little tricky - the address range you've specified does >not fall under an easy mask :( > >Do you want to allow 213.46.0.*? If not, then try.. > >${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip} >${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip} >${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip} >${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip} >${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip} > >(ick!) > >This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know >it's ugly. > >G'luck, >Peter > >-- >Do you think anybody has ever had *precisely this thought* before? > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message