From owner-freebsd-security Sat Apr 21 9:31:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 3394F37B424 for ; Sat, 21 Apr 2001 09:31:39 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 39969 invoked by uid 1000); 21 Apr 2001 16:30:01 -0000 Date: Sat, 21 Apr 2001 19:30:01 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421193001.E458@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200104211737.SAA32038@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104211737.SAA32038@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 06:25:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: > Hi Peter, > > Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow > ranges?? If the author listening...) > > I thought I had it for one minute, where I found that ${ip} isn't defined until later on > in the script. No such luck. Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined until later? If so, has that solved your problem? And about the ranges - ipfw(8) is only a controlling interface to the kernel ipfw routines. It would be *much* harder for the kernel to compare every packet's address against a range than it is to compare it against a netmask - the latter only involves a bitwise AND operator. I wonder if ranges would be so hard to implement though; the fact is, they are not implemented at the moment, this would take some work, and actually, I'm not aware of any other firewalling system that implements ranges. I would be VERY much out of my bailiwick here, though, because I've not dealt with that many other firewalling systems, but still, I think ranges are somewhat unusual in firewall rules :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message