Date: Sat, 21 Apr 2001 18:41:00 +0100 From: Lee Smallbone <lee@kechara.net> To: Peter Pentchev <roam@orbitel.bg> Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <200104211753.SAA32096@mailgate.kechara.net>
next in thread | raw e-mail | index | archive | help
I know that some of the 'hardware' firewall boxes (such as SonicWALL) support IP ranges, but I've yet to find a software solution. 21/04/2001 23:30:01, Peter Pentchev <roam@orbitel.bg> wrote: >On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: >> Hi Peter, >> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow >> ranges?? If the author listening...) >> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on >> in the script. No such luck. > >Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined >until later? If so, has that solved your problem? No, it didn't solve the problem. :) I was saying I thought it *might* have, but it was only another error, which occured after the range was specified, thus ipfw didn't ever get to that error. >And about the ranges - ipfw(8) is only a controlling interface to the kernel >ipfw routines. It would be *much* harder for the kernel to compare every >packet's address against a range than it is to compare it against a netmask - >the latter only involves a bitwise AND operator. I wonder if ranges would >be so hard to implement though; the fact is, they are not implemented at >the moment, this would take some work, and actually, I'm not aware of any >other firewalling system that implements ranges. I would be VERY much out >of my bailiwick here, though, because I've not dealt with that many other >firewalling systems, but still, I think ranges are somewhat unusual in >firewall rules :) > >G'luck, >Peter > >-- >I had to translate this sentence into English because I could not read the original Sanskrit. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104211753.SAA32096>