Date: Sat, 21 Apr 2001 18:25:13 +0100 From: Lee Smallbone <lee@kechara.net> To: Peter Pentchev <roam@orbitel.bg> Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <200104211737.SAA32038@mailgate.kechara.net>
next in thread | raw e-mail | index | archive | help
Hi Peter,
Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow
ranges?? If the author listening...)
I thought I had it for one minute, where I found that ${ip} isn't defined until later on
in the script. No such luck.
Ah well, thanks Peter!
--Lee
1/04/2001 23:07:10, Peter Pentchev <roam@orbitel.bg> wrote:
>On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote:
>> Hello Peter,
>>
>> 21/04/2001 22:54:10, Peter Pentchev <roam@orbitel.bg> wrote:
>>
>> >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote:
>> >> Hi there,
>> >>
>> >> The machine stops booting on either of these two rules, and I have to boot into
>> >> single user, remove the rules and reboot. What's wrong with them?
>> >>
>> >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip}
>> >>
>> >> I also get the same problem on this rule (in place of the one above):
>> >>
>> >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip}
>> >
>> >Where exactly in the boot process does it 'stop'? What application/program
>> >is it trying to execute? Or does ipfw itself hang when adding those rules?
>>
>> ipfw hangs during boot in trying to add rule 300.
>
>Well, I think there's something wrong with the rule itself. Nowhere in
>the ipfw manpage could I find a syntax for specifying addresses in
>an address-address format - it's either a single address, or address/bits,
>or address:mask. Though the fact that ipfw hangs is a little disturbing,
>I would advise that you rewrite this rule to use proper syntax, though
>that might be a little tricky - the address range you've specified does
>not fall under an easy mask :(
>
>Do you want to allow 213.46.0.*? If not, then try..
>
>${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip}
>${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip}
>${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip}
>${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip}
>${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip}
>
>(ick!)
>
>This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know
>it's ugly.
>
>G'luck,
>Peter
>
>--
>Do you think anybody has ever had *precisely this thought* before?
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
--
Lee Smallbone
Kechara Internet
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104211737.SAA32038>