Date: Sat, 21 Apr 2001 19:30:01 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Lee Smallbone <lee@kechara.net> Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421193001.E458@ringworld.oblivion.bg> In-Reply-To: <200104211737.SAA32038@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 06:25:13PM %2B0100 References: <200104211737.SAA32038@mailgate.kechara.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote:
> Hi Peter,
>
> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow
> ranges?? If the author listening...)
>
> I thought I had it for one minute, where I found that ${ip} isn't defined until later on
> in the script. No such luck.
Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined
until later? If so, has that solved your problem?
And about the ranges - ipfw(8) is only a controlling interface to the kernel
ipfw routines. It would be *much* harder for the kernel to compare every
packet's address against a range than it is to compare it against a netmask -
the latter only involves a bitwise AND operator. I wonder if ranges would
be so hard to implement though; the fact is, they are not implemented at
the moment, this would take some work, and actually, I'm not aware of any
other firewalling system that implements ranges. I would be VERY much out
of my bailiwick here, though, because I've not dealt with that many other
firewalling systems, but still, I think ranges are somewhat unusual in
firewall rules :)
G'luck,
Peter
--
I had to translate this sentence into English because I could not read the original Sanskrit.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010421193001.E458>